Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528405
MD5:	64d0f74791e4442e0f5a2e1e28e07cc8
SHA1:	6ec83a1c59b79bcb9ec5936407fe98e42c885ec9
SHA256:	03fa901819757c3e94dae4eab02b97409c67c383705076faea35c8bdf86c41ba
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 64D0F74791E4442E0F5A2E1E28E07CC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["spirittunek.stor", "clearancek.site", "bathdoomgaz.stor", "mobbipenju.stor", "dissapoiznw.stor", "licendfilteo.site", "studennotediw.stor", "eaglepawnoy.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.474978+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.5	59613	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.413184+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.5	56356	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.451483+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.5	60789	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.438706+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.5	55771	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.499559+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.5	54820	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.425942+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.5	60781	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.486755+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.5	54609	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:08:09.462878+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.5	51656	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.6432.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["spirittunek.stor", "clearancek.site", "bathdoomgaz.stor", "mobbipenju.stor", "dissapoiznw.stor", "licendfilteo.site", "studennotediw.stor", "eaglepawnoy.stor"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0076D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0076D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_007A63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_007A695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_007A99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0076FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00770EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_007A4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0079F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00776F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00761000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_007A6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0078D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00782260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00782260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_007742FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0076A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0078C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0077D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_007A1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0077B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0078E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_007A64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00776536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_007A7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00789510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00768590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0078E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0079B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_007A7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_007A5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_007A67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0078D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_007828E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0077D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_007A3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_007649A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00765A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_007A4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00771A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00771ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0077DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0077DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_007A9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00773BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00771BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00790B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0078EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0079FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00787C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_007A9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_007A9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0078CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0078CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0078CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0078AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0078AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0078DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0078FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_007A8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00785E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00787E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0078AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00774E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0076BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00776EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00766EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00771E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0079FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00789F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00768FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0077FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_007A5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_007A7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_007A7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00776F91

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:56356 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:55771 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:60781 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:54820 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:51656 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:54609 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:60789 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:59613 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://*.discovery.be equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3c56a22f796819c26acdf96b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 20:08:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controly equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001128000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001140000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/0
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2128348954.0000000001140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2108727792.0000000001165000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001165000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store/apiT
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001128000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00770228	0_2_00770228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087808E	0_2_0087808E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A4040	0_2_007A4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00772030	0_2_00772030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00761000	0_2_00761000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AA0D0	0_2_007AA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00765160	0_2_00765160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007671F0	0_2_007671F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076E1A0	0_2_0076E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007612F7	0_2_007612F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007982D0	0_2_007982D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007912D0	0_2_007912D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076A300	0_2_0076A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007923E0	0_2_007923E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007613A3	0_2_007613A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076B3A0	0_2_0076B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078C470	0_2_0078C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007964F0	0_2_007964F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077049B	0_2_0077049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774487	0_2_00774487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077C5F0	0_2_0077C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007635B0	0_2_007635B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00768590	0_2_00768590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BC577	0_2_008BC577
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A8652	0_2_007A8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076164F	0_2_0076164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079F620	0_2_0079F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A86F0	0_2_007A86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00939627	0_2_00939627
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092F777	0_2_0092F777
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791860	0_2_00791860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076A850	0_2_0076A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079B8C0	0_2_0079B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079E8A0	0_2_0079E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A89A0	0_2_007A89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078098B	0_2_0078098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00870A92	0_2_00870A92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A4A40	0_2_007A4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A7AB0	0_2_007A7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A8A80	0_2_007A8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077DB6F	0_2_0077DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092DCC5	0_2_0092DCC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A8C02	0_2_007A8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078CCD0	0_2_0078CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00937C2D	0_2_00937C2D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A6CBF	0_2_007A6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00767C8D	0_2_00767C8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00788D62	0_2_00788D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00932DB5	0_2_00932DB5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078DD29	0_2_0078DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078FD10	0_2_0078FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A8E70	0_2_007A8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078AE57	0_2_0078AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774E2A	0_2_00774E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076BEB0	0_2_0076BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00776EBF	0_2_00776EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076AF10	0_2_0076AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00768FD0	0_2_00768FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A7FC0	0_2_007A7FC0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0076CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0077D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994520936468647
Source: file.exe	Static PE information: Section: felyekru ZLIB complexity 0.994693273944193

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00798220 CoCreateInstance,

0_2_00798220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1867264 > 1048576

Source: file.exe

Static PE information: Raw size of felyekru is bigger than: 0x100000 < 0x19e600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.760000.0.unpack :EW;.rsrc :W;.idata :W; :EW;felyekru:EW;oqoyfwzb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;felyekru:EW;oqoyfwzb:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1c93b6 should be: 0x1c8528

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: felyekru
Source: file.exe	Static PE information: section name: oqoyfwzb
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087808E push 70657DE3h; mov dword ptr [esp], ecx	0_2_00878096
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push edx; mov dword ptr [esp], ecx	0_2_009370F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push 590B2AF0h; mov dword ptr [esp], ecx	0_2_00937126
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push 0014D0C8h; mov dword ptr [esp], ebx	0_2_0093713D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push esi; mov dword ptr [esp], ebx	0_2_00937152
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push 71B070BBh; mov dword ptr [esp], ebp	0_2_009371D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push 56854433h; mov dword ptr [esp], esi	0_2_009371D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093709C push 35976FD3h; mov dword ptr [esp], ebp	0_2_0093723D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BA08F push ebp; mov dword ptr [esp], 6EFFC3A1h	0_2_009BA0B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A40B7 push ebx; mov dword ptr [esp], edx	0_2_009A40C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A40B7 push 630FE848h; mov dword ptr [esp], eax	0_2_009A40D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A40B7 push 2AE45827h; mov dword ptr [esp], eax	0_2_009A47B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009AC0F8 push 454D79F7h; mov dword ptr [esp], esp	0_2_009AC156
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A170D4 push 588EC202h; mov dword ptr [esp], esi	0_2_00A17259
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E10A3 push ecx; mov dword ptr [esp], eax	0_2_007E113A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E10A3 push ecx; mov dword ptr [esp], 17A3E996h	0_2_007E1164
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E10A3 push ebx; mov dword ptr [esp], 55D6C5A2h	0_2_007E120C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E10A3 push ebp; mov dword ptr [esp], esi	0_2_007E1250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BB071 push edx; mov dword ptr [esp], esi	0_2_009BB08F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1B04F push 26AC1780h; mov dword ptr [esp], ecx	0_2_00A1B0CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C11D2 push 79D35281h; mov dword ptr [esp], ecx	0_2_009C120D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C11D2 push 764CCE8Bh; mov dword ptr [esp], edx	0_2_009C124D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096613C push ebx; mov dword ptr [esp], 3B77B038h	0_2_0096615E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096613C push 177813E1h; mov dword ptr [esp], ebp	0_2_00966209
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00946145 push ecx; mov dword ptr [esp], eax	0_2_00946321
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00946145 push 34F80510h; mov dword ptr [esp], edi	0_2_00946329
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00946145 push edx; mov dword ptr [esp], 6F37CCB9h	0_2_0094632D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00856166 push edi; mov dword ptr [esp], eax	0_2_00856216
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00856166 push ebp; mov dword ptr [esp], ecx	0_2_0085625D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00856166 push ecx; mov dword ptr [esp], eax	0_2_008562E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00856166 push 48255583h; mov dword ptr [esp], esp	0_2_00856320

Source: file.exe	Static PE information: section name: entropy: 7.9763558819511875
Source: file.exe	Static PE information: section name: felyekru entropy: 7.953710757441963

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941D17 second address: 941D21 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F58ECF3A5D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941D21 second address: 941D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940CD8 second address: 940CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940CE7 second address: 940CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940E99 second address: 940EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F58ECF3A5CCh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940EAB second address: 940EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941137 second address: 941168 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F58ECF3A5C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e jg 00007F58ECF3A5CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F58ECF3A5CFh 0x0000001b jng 00007F58ECF3A5C6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941168 second address: 941177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jne 00007F58ECD22316h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413C6 second address: 9413E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F58ECF3A5CCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413E9 second address: 9413F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413F4 second address: 941407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jng 00007F58ECF3A5C6h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941407 second address: 94140C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941579 second address: 94157D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94157D second address: 941591 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F58ECD22334h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941591 second address: 94159B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F58ECF3A5C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 944FC7 second address: 944FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 944FCB second address: 945039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F58ECF3A5D2h 0x0000000e jno 00007F58ECF3A5CCh 0x00000014 nop 0x00000015 and ecx, dword ptr [ebp+122D37E0h] 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e sub esi, 6F973BC1h 0x00000024 jc 00007F58ECF3A5CBh 0x0000002a popad 0x0000002b call 00007F58ECF3A5C9h 0x00000030 jbe 00007F58ECF3A5D4h 0x00000036 push eax 0x00000037 pushad 0x00000038 jnp 00007F58ECF3A5CCh 0x0000003e jne 00007F58ECF3A5C6h 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F58ECF3A5CBh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945039 second address: 945138 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F58ECD22322h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F58ECD2231Eh 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007F58ECD22325h 0x00000024 pop eax 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F58ECD22318h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f jmp 00007F58ECD22325h 0x00000044 jmp 00007F58ECD2231Ah 0x00000049 push 00000003h 0x0000004b mov dword ptr [ebp+122D2E4Bh], edx 0x00000051 push 00000000h 0x00000053 mov dword ptr [ebp+122D337Dh], edi 0x00000059 jmp 00007F58ECD22327h 0x0000005e push 00000003h 0x00000060 xor dword ptr [ebp+124522FBh], edx 0x00000066 call 00007F58ECD22319h 0x0000006b pushad 0x0000006c js 00007F58ECD22318h 0x00000072 pushad 0x00000073 popad 0x00000074 jmp 00007F58ECD22320h 0x00000079 popad 0x0000007a push eax 0x0000007b jno 00007F58ECD22326h 0x00000081 mov eax, dword ptr [esp+04h] 0x00000085 pushad 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9451C5 second address: 9451C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9451C9 second address: 9451D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9453EF second address: 9453F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9453F3 second address: 9453F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9453F9 second address: 9454AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 241F3607h 0x00000010 jmp 00007F58ECF3A5CDh 0x00000015 mov ecx, dword ptr [ebp+122D37DCh] 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F58ECF3A5C8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 movsx edx, bx 0x0000003a push esi 0x0000003b pushad 0x0000003c jbe 00007F58ECF3A5C6h 0x00000042 mov dword ptr [ebp+122D1882h], ecx 0x00000048 popad 0x00000049 pop ecx 0x0000004a push 00000000h 0x0000004c mov esi, dword ptr [ebp+122D2D45h] 0x00000052 push 00000003h 0x00000054 jng 00007F58ECF3A5CBh 0x0000005a mov esi, 711CF663h 0x0000005f mov edx, edi 0x00000061 call 00007F58ECF3A5C9h 0x00000066 jo 00007F58ECF3A5D2h 0x0000006c jns 00007F58ECF3A5CCh 0x00000072 push eax 0x00000073 jmp 00007F58ECF3A5CDh 0x00000078 mov eax, dword ptr [esp+04h] 0x0000007c push esi 0x0000007d je 00007F58ECF3A5C8h 0x00000083 push ebx 0x00000084 pop ebx 0x00000085 pop esi 0x00000086 mov eax, dword ptr [eax] 0x00000088 pushad 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9454AB second address: 945503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007F58ECD22316h 0x0000000c jmp 00007F58ECD22321h 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push esi 0x00000019 ja 00007F58ECD22316h 0x0000001f pop esi 0x00000020 jmp 00007F58ECD2231Ah 0x00000025 popad 0x00000026 pop eax 0x00000027 jmp 00007F58ECD2231Ch 0x0000002c lea ebx, dword ptr [ebp+12454EDCh] 0x00000032 jne 00007F58ECD22317h 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945503 second address: 945507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945507 second address: 94550D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96463C second address: 964640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964640 second address: 964650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964650 second address: 964654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964B8F second address: 964B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964B93 second address: 964B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964E39 second address: 964E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958A8B second address: 958AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007F58ECF3A5D0h 0x00000010 pop edi 0x00000011 jp 00007F58ECF3A5F6h 0x00000017 jmp 00007F58ECF3A5CAh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958AFD second address: 958B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965807 second address: 965816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965816 second address: 965820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965820 second address: 96582A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96582A second address: 965839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 js 00007F58ECD22316h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9660A4 second address: 9660AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F58ECF3A5C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9660AF second address: 9660D0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F58ECD22327h 0x00000008 jmp 00007F58ECD22321h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9660D0 second address: 9660D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9660D6 second address: 9660E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD2231Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9660E4 second address: 9660F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F58ECF3A5C6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9660F0 second address: 9660F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 966489 second address: 96648F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96648F second address: 966493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 966493 second address: 96649D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969A6E second address: 969A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969A72 second address: 969A92 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F58ECF3A5C6h 0x00000008 ja 00007F58ECF3A5C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F58ECF3A5C8h 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007F58ECF3A5C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969A92 second address: 969A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92F253 second address: 92F266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F58ECF3A5C6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F58ECF3A5C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970AF2 second address: 970AFC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F58ECD22322h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970AFC second address: 970B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97135D second address: 971374 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F58ECD22320h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971374 second address: 97137A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97137A second address: 97139F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58ECD22321h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F58ECD22318h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973D8B second address: 973D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973D90 second address: 973D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97425A second address: 97425E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9743F3 second address: 9743FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F58ECD22316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9743FD second address: 974401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974DBA second address: 974DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F58ECD22316h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974DCC second address: 974DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9756D1 second address: 975739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F58ECD22318h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov si, dx 0x00000024 push 00000000h 0x00000026 or esi, dword ptr [ebp+122D382Ch] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F58ECD22318h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D2A6Dh], ecx 0x0000004e xchg eax, ebx 0x0000004f js 00007F58ECD22324h 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 pop eax 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 975739 second address: 975752 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F58ECF3A5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F58ECF3A5D8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F58ECF3A5C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9761C1 second address: 9761CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97604D second address: 97605F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F58ECF3A5C8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9761CB second address: 97620F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 or dword ptr [ebp+122D2F27h], ecx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F58ECD22318h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 movzx esi, dx 0x0000002c push 00000000h 0x0000002e cld 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 jbe 00007F58ECD22316h 0x00000039 pop edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977428 second address: 977474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58ECF3A5D8h 0x00000008 jmp 00007F58ECF3A5CAh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F58ECF3A5CFh 0x00000019 jmp 00007F58ECF3A5D0h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977EEE second address: 977EF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977CF2 second address: 977CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977EF4 second address: 977EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977EF8 second address: 977F3F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F58ECF3A5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D395Ch] 0x00000015 jmp 00007F58ECF3A5D1h 0x0000001a push 00000000h 0x0000001c sub edi, dword ptr [ebp+122D3884h] 0x00000022 push 00000000h 0x00000024 jl 00007F58ECF3A5CEh 0x0000002a jng 00007F58ECF3A5C8h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978A57 second address: 978A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9787E2 second address: 9787E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978A5C second address: 978A7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD22325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jo 00007F58ECD2231Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9787E8 second address: 9787ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9787ED second address: 9787F7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F58ECD2231Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 979F12 second address: 979F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97A73F second address: 97A743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97B093 second address: 97B0A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97A743 second address: 97A749 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97A749 second address: 97A74E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97E673 second address: 97E677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97E677 second address: 97E67B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97FC20 second address: 97FC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 jc 00007F58ECD22322h 0x0000000d jnp 00007F58ECD2231Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EE1B second address: 97EE1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980D3E second address: 980D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980D42 second address: 980DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F58ECF3A5D3h 0x0000000c nop 0x0000000d mov edi, edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F58ECF3A5C8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov di, 1806h 0x0000002f push 00000000h 0x00000031 movzx ebx, cx 0x00000034 push eax 0x00000035 pushad 0x00000036 push edx 0x00000037 jo 00007F58ECF3A5C6h 0x0000003d pop edx 0x0000003e pushad 0x0000003f jmp 00007F58ECF3A5D7h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97FEF1 second address: 97FF03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F58ECD22316h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97FF03 second address: 97FF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 981E29 second address: 981E4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 je 00007F58ECD22318h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F58ECD2231Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980FAA second address: 980FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980FAE second address: 980FC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F58ECD2231Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983ED2 second address: 983EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982EBB second address: 982EC5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982EC5 second address: 982ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F58ECF3A5C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984FD1 second address: 98503B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F58ECD22318h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D39B4h] 0x00000029 push 00000000h 0x0000002b mov bh, D3h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F58ECD22318h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov dword ptr [ebp+122D2FE8h], eax 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 js 00007F58ECD22318h 0x00000057 pushad 0x00000058 popad 0x00000059 pop eax 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98503B second address: 98504E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F58ECF3A5CBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 986031 second address: 986037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 986037 second address: 98603B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 987287 second address: 987295 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F58ECD2231Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98840E second address: 988414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988414 second address: 988418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988418 second address: 988441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jl 00007F58ECF3A5C6h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F58ECF3A5D5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9893CE second address: 9893D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9893D8 second address: 9893DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9893DE second address: 9893E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B43F second address: 98B443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B443 second address: 98B449 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B449 second address: 98B491 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007F58ECF3A5C6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub dword ptr [ebp+12477F29h], eax 0x00000015 push 00000000h 0x00000017 clc 0x00000018 push ebx 0x00000019 sub bh, FFFFFF9Fh 0x0000001c pop ebx 0x0000001d push 00000000h 0x0000001f jne 00007F58ECF3A5C7h 0x00000025 push eax 0x00000026 pushad 0x00000027 jl 00007F58ECF3A5DCh 0x0000002d jmp 00007F58ECF3A5D6h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B491 second address: 98B495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98C3E0 second address: 98C417 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F58ECF3A5C8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov ebx, dword ptr [ebp+12452370h] 0x0000002a push 00000000h 0x0000002c mov bx, si 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98C417 second address: 98C41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98D3C5 second address: 98D3DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58ECF3A5CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E549 second address: 98E562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD2231Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98D601 second address: 98D607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FCB5 second address: 98FCBB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FCBB second address: 98FCC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999638 second address: 99963F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998DD0 second address: 998E09 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F58ECF3A5C6h 0x00000008 jne 00007F58ECF3A5C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F58ECF3A5E4h 0x00000016 push esi 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998E09 second address: 998E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998FBD second address: 998FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99911C second address: 999120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999120 second address: 999124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999124 second address: 99912A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999253 second address: 999264 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F58ECF3A5CCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99EACA second address: 99EB22 instructions: 0x00000000 rdtsc 0x00000002 js 00007F58ECD22318h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F58ECD22325h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F58ECD22328h 0x0000001d jmp 00007F58ECD22321h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3A44 second address: 9A3A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3A4A second address: 9A3A5F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F58ECD2231Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A27FB second address: 9A2802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A34C3 second address: 9A34C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A35F1 second address: 9A35F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A35F5 second address: 9A35F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A35F9 second address: 9A35FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A38A2 second address: 9A38AC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F58ECD22316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7B18 second address: 9A7B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F58ECF3A5C6h 0x0000000a popad 0x0000000b jmp 00007F58ECF3A5D2h 0x00000010 jng 00007F58ECF3A5D2h 0x00000016 popad 0x00000017 pushad 0x00000018 jc 00007F58ECF3A5E1h 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F58ECF3A5D9h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7B6D second address: 9A7B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7B73 second address: 9A7B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F58ECF3A5D3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AB2DF second address: 9AB2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AB2E6 second address: 9AB2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AB2EB second address: 9AB30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD2231Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F58ECD2232Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F58ECD22316h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AB30B second address: 9AB30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AB30F second address: 9AB315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972548 second address: 97254C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97254C second address: 972583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F58ECD22326h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F58ECD22323h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972583 second address: 972589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972589 second address: 958A8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a mov dword ptr [ebp+1245F34Dh], ebx 0x00000010 pop ecx 0x00000011 call dword ptr [ebp+12460512h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a jne 00007F58ECD22316h 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972778 second address: 97277E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972CB6 second address: 972CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972CBD second address: 972CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F58ECF3A5DCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972CE4 second address: 972D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD22326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 972D06 second address: 972D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007F58ECF3A5D7h 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F58ECF3A5C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9735D4 second address: 9735F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58ECD22329h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9738AA second address: 9738BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58ECF3A5CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ABBA7 second address: 9ABBDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F58ECD2231Ah 0x0000000d jmp 00007F58ECD2231Dh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jbe 00007F58ECD22316h 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F58ECD2231Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ABBDE second address: 9ABBE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ABFC1 second address: 9ABFFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F58ECD2231Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F58ECD22329h 0x00000011 pop esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F58ECD2231Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ABFFD second address: 9AC00C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F58ECF3A5C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC00C second address: 9AC02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58ECD22327h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC02C second address: 9AC032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC032 second address: 9AC043 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007F58ECD22316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AF29D second address: 9AF2A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AF2A3 second address: 9AF2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4BC6 second address: 9B4C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F58ECF3A5CDh 0x0000000d jmp 00007F58ECF3A5CFh 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F58ECF3A5D4h 0x0000001a jo 00007F58ECF3A5CEh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B367C second address: 9B3680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B432F second address: 9B433B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F58ECF3A5C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B433B second address: 9B435A instructions: 0x00000000 rdtsc 0x00000002 je 00007F58ECD22316h 0x00000008 jmp 00007F58ECD22322h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B448F second address: 9B449A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B45EE second address: 9B4604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58ECD22320h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4912 second address: 9B4917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4917 second address: 9B491D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B491D second address: 9B4923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B95D9 second address: 9B95E3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F58ECD22316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B95E3 second address: 9B9605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F58ECF3A5C6h 0x0000000d jmp 00007F58ECF3A5D3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B977B second address: 9B9798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD22327h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9798 second address: 9B979C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B979C second address: 9B97A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B97A0 second address: 9B97B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F58ECF3A5E3h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B97B2 second address: 9B97B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9A76 second address: 9B9AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F58ECF3A5D7h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F58ECF3A5EEh 0x00000015 pushad 0x00000016 jmp 00007F58ECF3A5CEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9E8F second address: 9B9EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 jns 00007F58ECD2233Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9EC8 second address: 9B9ED4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F58ECF3A5C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA598 second address: 9BA59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA59D second address: 9BA5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA5A3 second address: 9BA5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8E7A second address: 9B8E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8E80 second address: 9B8E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F58ECD22316h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8E8C second address: 9B8E92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE27A second address: 9BE280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE280 second address: 9BE298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5D2h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE298 second address: 9BE2BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F58ECD22325h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE466 second address: 9BE46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE46A second address: 9BE46E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE46E second address: 9BE474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5E5 second address: 9BE5EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F58ECD22316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0CA9 second address: 9C0CD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F58ECF3A5D3h 0x0000000e jmp 00007F58ECF3A5CAh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0CD0 second address: 9C0CDA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F58ECD2231Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7830 second address: 9C7838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C60AD second address: 9C60B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C60B7 second address: 9C60D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F58ECF3A5C6h 0x0000000d jmp 00007F58ECF3A5D1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C60D5 second address: 9C60FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58ECD22316h 0x00000008 jmp 00007F58ECD22323h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007F58ECD2231Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C622B second address: 9C6243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F58ECF3A5D1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6399 second address: 9C639D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C639D second address: 9C63B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007F58ECF3A5C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C63B6 second address: 9C63BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C63BB second address: 9C63C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C63C1 second address: 9C63C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C63C5 second address: 9C63D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C659D second address: 9C65A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C65A1 second address: 9C65C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F58ECF3A5D8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97340D second address: 973411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973411 second address: 97341F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F58ECF3A5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9734C3 second address: 9734D4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F58ECD22318h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9734D4 second address: 9734DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9734DA second address: 9734E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9734E3 second address: 9734E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9734E7 second address: 97352B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F58ECD22318h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 adc dx, E2F1h 0x00000027 push 00000004h 0x00000029 adc cx, 682Ah 0x0000002e jo 00007F58ECD22317h 0x00000034 cmc 0x00000035 push eax 0x00000036 push ebx 0x00000037 jp 00007F58ECD2231Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6B67 second address: 9C6B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6B6D second address: 9C6B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6B71 second address: 9C6BA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F58ECF3A5D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F58ECF3A5D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C5FD second address: 93C607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F58ECD22316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C607 second address: 93C64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F58ECF3A5D9h 0x0000000c jl 00007F58ECF3A5C6h 0x00000012 jno 00007F58ECF3A5C6h 0x00000018 jmp 00007F58ECF3A5D7h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C64B second address: 93C651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAF6F second address: 9CAF85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAF85 second address: 9CAF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAF89 second address: 9CAF97 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F58ECF3A5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAF97 second address: 9CAF9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAF9B second address: 9CAFA5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F58ECF3A5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF63C second address: 9CF64A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF64A second address: 9CF66B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F58ECF3A5D8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF66B second address: 9CF67A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jc 00007F58ECD2231Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CEA0D second address: 9CEA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58ECF3A5D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECC5 second address: 9CECC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECC9 second address: 9CECEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F58ECF3A5D3h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF100 second address: 9CF123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F58ECD22328h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF123 second address: 9CF13D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F58ECF3A5D2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5550 second address: 9D5579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F58ECD22316h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F58ECD22328h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5579 second address: 9D557D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D557D second address: 9D5587 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5587 second address: 9D5595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5595 second address: 9D559B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5B5C second address: 9D5B83 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F58ECF3A5C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F58ECF3A5D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5B83 second address: 9D5B89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5B89 second address: 9D5B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D5B92 second address: 9D5B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D611C second address: 9D6122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6122 second address: 9D6127 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D66AF second address: 9D66D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5D4h 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D69AE second address: 9D69B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D69B6 second address: 9D69BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D69BB second address: 9D69EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD22324h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F58ECD22326h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DB182 second address: 9DB188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DB892 second address: 9DB8AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD22325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBBAA second address: 9DBBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007F58ECF3A5D9h 0x00000013 jmp 00007F58ECF3A5D3h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F58ECF3A5CDh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6B6D second address: 9E6B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F58ECD22316h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6B7C second address: 9E6B88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F58ECF3A5C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6B88 second address: 9E6B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6FAB second address: 9E6FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 jg 00007F58ECF3A5C6h 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6FC4 second address: 9E6FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7118 second address: 9E711E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E80C6 second address: 9E80CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E80CA second address: 9E80D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F58ECF3A5CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E80D8 second address: 9E80DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED2D7 second address: 9ED2E7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F58ECF3A5C6h 0x00000008 jbe 00007F58ECF3A5C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F13BF second address: 9F13DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007F58ECD2231Ch 0x0000000d push esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push edx 0x00000012 js 00007F58ECD22316h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D7A3 second address: 92D7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D7A9 second address: 92D7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D7AD second address: 92D7C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CEh 0x00000007 ja 00007F58ECF3A5C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D779 second address: 92D7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F58ECD22322h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F58ECD22321h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F10A9 second address: 9F10C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CDh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F10C0 second address: 9F10C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC44A second address: 9FC462 instructions: 0x00000000 rdtsc 0x00000002 js 00007F58ECF3A5C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F58ECF3A5D2h 0x00000010 jo 00007F58ECF3A5CCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03450 second address: A03456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03456 second address: A03463 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A060AA second address: A060B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A060B2 second address: A060B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A07740 second address: A0775B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD2231Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F58ECD22326h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0775B second address: A0775F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C446 second address: A0C452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F58ECD22316h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B126 second address: A1B12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B428 second address: A1B442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F58ECD22316h 0x0000000e jc 00007F58ECD22316h 0x00000014 popad 0x00000015 popad 0x00000016 push ecx 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B442 second address: A1B463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F58ECF3A5D7h 0x00000009 pop esi 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B5AB second address: A1B5AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B5AF second address: A1B5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B5B5 second address: A1B5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B6F3 second address: A1B723 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F58ECF3A5C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F58ECF3A5CFh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pop esi 0x0000001d pushad 0x0000001e ja 00007F58ECF3A5C6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B723 second address: A1B729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A308F3 second address: A308FD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F58ECF3A5E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36445 second address: A36457 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 jbe 00007F58ECD2231Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36280 second address: A36294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36294 second address: A36298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43FF8 second address: A43FFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43FFD second address: A44012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F58ECD22316h 0x0000000a popad 0x0000000b jl 00007F58ECD2231Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A44012 second address: A4401E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4401E second address: A44026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43B69 second address: A43B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jne 00007F58ECF3A5C6h 0x0000000c pushad 0x0000000d popad 0x0000000e js 00007F58ECF3A5C6h 0x00000014 jmp 00007F58ECF3A5CAh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43B88 second address: A43BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECD22328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop esi 0x0000000f jmp 00007F58ECD22325h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43BBF second address: A43BC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F58ECF3A5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43D13 second address: A43D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43D17 second address: A43D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43D23 second address: A43D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A455CE second address: A4561F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F58ECF3A5D8h 0x00000007 jp 00007F58ECF3A5C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F58ECF3A5D3h 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F58ECF3A5CCh 0x0000001f push eax 0x00000020 push edx 0x00000021 jne 00007F58ECF3A5C6h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4561F second address: A45623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45623 second address: A45627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5E23F second address: A5E258 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F58ECD22320h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5E258 second address: A5E25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5E25E second address: A5E286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F58ECD22316h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F58ECD22327h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D58B second address: A5D5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F58ECF3A5D3h 0x0000000a pushad 0x0000000b jl 00007F58ECF3A5C6h 0x00000011 jmp 00007F58ECF3A5CFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D6F6 second address: A5D6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D6FE second address: A5D703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DAEF second address: A5DAF9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F58ECD22316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DC8B second address: A5DC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DC91 second address: A5DC9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F58ECD22316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DC9D second address: A5DCA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F58ECF3A5C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DCA8 second address: A5DCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DCAE second address: A5DCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5DCB9 second address: A5DCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60C0D second address: A60C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60CCE second address: A60CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60CD2 second address: A60CD8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60CD8 second address: A60CDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A60F25 second address: A60F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A61188 second address: A6118D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A63DE9 second address: A63DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F58ECF3A5C6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70D38 second address: 4F70D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70D3E second address: 4F70DCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 movzx ecx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d jmp 00007F58ECF3A5CBh 0x00000012 jns 00007F58ECF3A64Bh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F58ECF3A5D4h 0x0000001f and ecx, 5EA093C8h 0x00000025 jmp 00007F58ECF3A5CBh 0x0000002a popfd 0x0000002b pushad 0x0000002c jmp 00007F58ECF3A5D6h 0x00000031 pushfd 0x00000032 jmp 00007F58ECF3A5D2h 0x00000037 jmp 00007F58ECF3A5D5h 0x0000003c popfd 0x0000003d popad 0x0000003e popad 0x0000003f add eax, ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70DCE second address: 4F70DD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70DD4 second address: 4F70DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 48F7h 0x00000007 mov bx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax+00000860h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976D7E second address: 976D88 instructions: 0x00000000 rdtsc 0x00000002 js 00007F58ECD2231Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976D88 second address: 976D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F58ECF3A5C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976D99 second address: 976D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976D9D second address: 976DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7C3AB8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7C3B7D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96D07E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 98FD16 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9F3506 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4308

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2108727792.0000000001165000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108900004.0000000001170000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128425365.0000000001171000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001140000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A5BB0 LdrInitializeThunk,

0_2_007A5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: svProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/0	file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://studennotediw.store/apiT	file.exe, 00000000.00000003.2108727792.0000000001165000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001165000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001128000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001128000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001129000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108867058.000000000117C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128466376.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128252524.0000000001124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108727792.0000000001140000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128441181.000000000117D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2128348954.0000000001140000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.2108682528.00000000011B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2108682528.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528405
Start date and time:	2024-10-07 22:07:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:08:08	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	out.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FdjDPFGTZS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	CSY6k9gpVb.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	88.221.169.152
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secu	Get hash	malicious	HTMLPhisher	Browse	2.19.126.151
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	out.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	23.43.32.11
	FdjDPFGTZS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	CSY6k9gpVb.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FdjDPFGTZS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	CSY6k9gpVb.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	45Ywq5ad5H.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	f1r6P3j3g7.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949778370726664
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'867'264 bytes
MD5:	64d0f74791e4442e0f5a2e1e28e07cc8
SHA1:	6ec83a1c59b79bcb9ec5936407fe98e42c885ec9
SHA256:	03fa901819757c3e94dae4eab02b97409c67c383705076faea35c8bdf86c41ba
SHA512:	a076f77b50b6b860135d814426b45bd9b7850252310b565b16ced992dec43c0cea1af231c6a46fa094482fa68de84fa9be0c3769e071ef549ac0e3bf912a4e67
SSDEEP:	49152:DANKYFun2ZxMRh6qZ4ylYYpEIkgzVIRzKcT4Ob:DAN1sn2ZORh6qZzYYpksEc
TLSH:	B6853333DB3778DDC9D964FA88F372243D6CAB568CD88B286D8CD51D0427EEA4A81435
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@.......................... K...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8af000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F58EC75509Ah
subps xmm3, dqword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F58EC757095h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	3c5d41d57149bd4f5a0800264ac721a2	False	0.9994520936468647	data	7.9763558819511875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2af000	0x200	182a9239084315ea527fd5d49d8c40c6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
felyekru	0x30f000	0x19f000	0x19e600	45de9f077ae5bebef20837dadb5125f7	False	0.994693273944193	data	7.953710757441963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
oqoyfwzb	0x4ae000	0x1000	0x400	115a26a8bc537169e6792d91484242de	False	0.8408203125	data	6.375453092172422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4af000	0x3000	0x2200	e3f36a1f21ce4bdcf2ae69ebb43e869c	False	0.05215992647058824	DOS executable (COM)	0.8421130728364485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T22:08:09.413184+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.5	56356	1.1.1.1	53	UDP
2024-10-07T22:08:09.425942+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.5	60781	1.1.1.1	53	UDP
2024-10-07T22:08:09.438706+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.5	55771	1.1.1.1	53	UDP
2024-10-07T22:08:09.451483+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.5	60789	1.1.1.1	53	UDP
2024-10-07T22:08:09.462878+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.5	51656	1.1.1.1	53	UDP
2024-10-07T22:08:09.474978+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.5	59613	1.1.1.1	53	UDP
2024-10-07T22:08:09.486755+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.5	54609	1.1.1.1	53	UDP
2024-10-07T22:08:09.499559+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.5	54820	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:08:09.526082039 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:09.526113033 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:09.526282072 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:09.536437035 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:09.536458015 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.150131941 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.150507927 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.191684961 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.191735029 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.192138910 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.235424042 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.422668934 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.467402935 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.804740906 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.804801941 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.804887056 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.804945946 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.804955006 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.804955006 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.804955006 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.804985046 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.804996967 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.805006981 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.805042982 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.861979008 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.862067938 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.862139940 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.862139940 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.863387108 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.863398075 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 7, 2024 22:08:10.863416910 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 7, 2024 22:08:10.863421917 CEST	443	49704	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:08:09.413183928 CEST	56356	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.422635078 CEST	53	56356	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.425941944 CEST	60781	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.435997963 CEST	53	60781	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.438705921 CEST	55771	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.449372053 CEST	53	55771	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.451483011 CEST	60789	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.460833073 CEST	53	60789	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.462877989 CEST	51656	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.472780943 CEST	53	51656	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.474977970 CEST	59613	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.484143019 CEST	53	59613	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.486754894 CEST	54609	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.497534037 CEST	53	54609	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.499558926 CEST	54820	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.509295940 CEST	53	54820	1.1.1.1	192.168.2.5
Oct 7, 2024 22:08:09.511872053 CEST	51751	53	192.168.2.5	1.1.1.1
Oct 7, 2024 22:08:09.519489050 CEST	53	51751	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:08:09.413183928 CEST	192.168.2.5	1.1.1.1	0xffa1	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.425941944 CEST	192.168.2.5	1.1.1.1	0xcca7	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.438705921 CEST	192.168.2.5	1.1.1.1	0x8b49	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.451483011 CEST	192.168.2.5	1.1.1.1	0x8a2c	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.462877989 CEST	192.168.2.5	1.1.1.1	0x692c	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.474977970 CEST	192.168.2.5	1.1.1.1	0x5e68	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.486754894 CEST	192.168.2.5	1.1.1.1	0x6a0f	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.499558926 CEST	192.168.2.5	1.1.1.1	0x586f	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.511872053 CEST	192.168.2.5	1.1.1.1	0x8706	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:08:09.422635078 CEST	1.1.1.1	192.168.2.5	0xffa1	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.435997963 CEST	1.1.1.1	192.168.2.5	0xcca7	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.449372053 CEST	1.1.1.1	192.168.2.5	0x8b49	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.460833073 CEST	1.1.1.1	192.168.2.5	0x8a2c	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.472780943 CEST	1.1.1.1	192.168.2.5	0x692c	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.484143019 CEST	1.1.1.1	192.168.2.5	0x5e68	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.497534037 CEST	1.1.1.1	192.168.2.5	0x6a0f	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.509295940 CEST	1.1.1.1	192.168.2.5	0x586f	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:08:09.519489050 CEST	1.1.1.1	192.168.2.5	0x8706	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.102.49.254	443	6432	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:08:10 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 20:08:10 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 20:08:10 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=3c56a22f796819c26acdf96b; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 20:08:10 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 20:08:10 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	0
Start time:	16:08:07
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x760000
File size:	1'867'264 bytes
MD5 hash:	64D0F74791E4442E0F5A2E1E28E07CC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	66.7%
Total number of Nodes:	36
Total number of Limit Nodes:	4

Executed Functions

Function 0076FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VY^_, xrefs: 0076FDFF
J|BJ, xrefs: 0077000D
V, xrefs: 0076FEDC
t, xrefs: 0076FCBE

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 75f78b6f0bf9a040949c20579ee1e4296e461f5735108d1eb118df44204340ba
Instruction ID: 43f5e031e022ba986e29781b11bbb342c9dd6fafd06949fc0f1f4455a27c8026
Opcode Fuzzy Hash: 75f78b6f0bf9a040949c20579ee1e4296e461f5735108d1eb118df44204340ba
Instruction Fuzzy Hash: 2ED1787450C3849BD710DF14D494A6FBBE2AF92B84F54882CF8D98B252D33ACD49DB92

Function 0076D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0076D2F0

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 44f350d52f6c7e0abcbcdcf5feaaa836d28c00d061d06fed4e3cb74af6a81728
Instruction ID: 3b7148770bdebf2ceb75af6375381da11673129c1230b3d220dff0d7ef265a20
Opcode Fuzzy Hash: 44f350d52f6c7e0abcbcdcf5feaaa836d28c00d061d06fed4e3cb74af6a81728
Instruction Fuzzy Hash: 79415770A1D380ABC711BB65D598A2EFBF5AF92744F048C0CE9C59B212D73ADC148B67

Function 007A5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(007A973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 007A5BDE

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 007A695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 007A69C5

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9df2b482fb66b1fe8065bc444f2ce415a918cd6b253f3f669b0a1ceb3df9fbf7
Instruction ID: 3086cf3f5e0e488facfa1835549ed8acd23feec4557247a368abad0f44ab48a0
Opcode Fuzzy Hash: 9df2b482fb66b1fe8065bc444f2ce415a918cd6b253f3f669b0a1ceb3df9fbf7
Instruction Fuzzy Hash: 7C3198B06083018FD718DF14C890B2BB7F1EFC6344F088A1CE5C697261E7399904CB56

Function 0077049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6db1d4ff085e7af159cee0a7e1b8efd32e8fa2d8dd2870786f5a369e84516b
Instruction ID: 7eb9575f071aad8c62e9bb7ddf40c7e7ae0f9b8952dc7d63fc66f801ea7f6714
Opcode Fuzzy Hash: ce6db1d4ff085e7af159cee0a7e1b8efd32e8fa2d8dd2870786f5a369e84516b
Instruction Fuzzy Hash: AC916B75200B00CFD7248F65D894A27B7F6FF8A310B15CA6DE89687662D738E815CB94

Function 00770228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51fb9d16dfdb02eb76b510f401f7cbedd4cd8b86e7e900770334ddb298a6b03
Instruction ID: 3ffc0ae6ffa3301afbd7e51e46e139f3f2590a77fdec0e343b02cee3a62cfec0
Opcode Fuzzy Hash: b51fb9d16dfdb02eb76b510f401f7cbedd4cd8b86e7e900770334ddb298a6b03
Instruction Fuzzy Hash: AF716675200700DFDB248F60E894B27B7F6FF8A311F15C968E8968B662D739A815CB64

Function 007A99D0 Relevance: .1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7587cc6b3fe32ad36d3c0ac0a738125768bcb5b13e016985274f0a51558aed03
Instruction ID: 9e33ff10dfd07cb74635fefc65855374490c8fb6e331ae8f38559c53a7ff1458
Opcode Fuzzy Hash: 7587cc6b3fe32ad36d3c0ac0a738125768bcb5b13e016985274f0a51558aed03
Instruction Fuzzy Hash: CE419F74208340ABD7149B15D890B2BF7A6EBC6714F24CA2DE68A97251D339E821CB66

Function 007A63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cc6b757a8782fdc019fa841e2efbcaea7b8ef1594c4926b85de0bd123439a3c
Instruction ID: ea0c33027ef23fe8381a45edd72185ba86329a3993868fbd6febf83e411a0fa1
Opcode Fuzzy Hash: 5cc6b757a8782fdc019fa841e2efbcaea7b8ef1594c4926b85de0bd123439a3c
Instruction Fuzzy Hash: 1131D270649341BBDA24DB04CD82F3AB7A6EBD6B15F68870CF1815B2E1D378B8118B56

Function 00770EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f682cc87bc05c5511074e056d3ddf31937edce8aed87e363ff86b0def0c9efb
Instruction ID: 79f88cacedf604e3ba0c49a8f97690b571a501e3e99c1cc33f08b000987d847d
Opcode Fuzzy Hash: 3f682cc87bc05c5511074e056d3ddf31937edce8aed87e363ff86b0def0c9efb
Instruction Fuzzy Hash: E4210CB490021ADFDF15CF94CC90BBEBBB1FB46304F148859E915BB292C735A911CBA4

Function 007A3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 007A32A6

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 896933dcd20e717e773a6a39c4b13bc3a2ad2ad26078868933f6ef7838e13968
Instruction ID: 26db273072198bdcb2f53b0116051828738956856b3b138645a9f1595eeb91d4
Opcode Fuzzy Hash: 896933dcd20e717e773a6a39c4b13bc3a2ad2ad26078868933f6ef7838e13968
Instruction Fuzzy Hash: 04016D3450D240DBC701EF18E859E1ABBE8EF8A700F058A1CE5C58B361D339DD64CB96

Function 007A3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 007A3208

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ccb08fc76f3dd797638a8b64e3dc9beb796419149cb4901a574fe0bbf55290e3
Instruction ID: 9891b57a801685435d5e8870429e18a3a9c0a2ea6c9965738b31fc0d5490fde4
Opcode Fuzzy Hash: ccb08fc76f3dd797638a8b64e3dc9beb796419149cb4901a574fe0bbf55290e3
Instruction Fuzzy Hash: DBB012300400005FDA181B00EC0AF003510EB00705F800190A100040B1E5A55C65C558

Non-executed Functions

Function 0077DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

@ONM, xrefs: 0077E6DB
T, xrefs: 0077F157
dcba, xrefs: 0077E728
tsrq, xrefs: 0077E6FC
%*+(, xrefs: 0077DE37, 0077DE46
89>?, xrefs: 0077E9F6
QNOL, xrefs: 0077E775
89&', xrefs: 0077E93B
WP, xrefs: 0077DCEF
`onm, xrefs: 0077E733
AR, xrefs: 0077DD10
lkji, xrefs: 0077E73E
tuJK, xrefs: 0077E967
DCBA, xrefs: 0077E887, 0077E896
:WUE, xrefs: 0077F6B7, 0077F6C6
LKJI, xrefs: 0077E6E6
D, xrefs: 0077E846
xgfe, xrefs: 0077E71D
|, xrefs: 0077ECB1
`Y^_, xrefs: 0077E99E
()./, xrefs: 0077E9CA
<=:;, xrefs: 0077E930
<=2, xrefs: 0077EA01
mjkh, xrefs: 0077E7D8

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: bdc333769cabc3e88737fa90db4221e313b958c208c6653c9ac7e1994be77b52
Instruction ID: 5e8ed28c429c06860b6524c36beab9e54e3ae7677d63c902009caabe67c6a12b
Opcode Fuzzy Hash: bdc333769cabc3e88737fa90db4221e313b958c208c6653c9ac7e1994be77b52
Instruction Fuzzy Hash: 48F27BB05093819BDB70CF14C484BABBBE2BFD5344F54896CE4CD8B251D7399994CB52

Function 007923E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

f@~!, xrefs: 007925FF
fedc, xrefs: 00792782
|}&C, xrefs: 00792F21
`tii, xrefs: 00792693
Cx, xrefs: 0079453D
aenQ, xrefs: 0079276A
%*+(, xrefs: 007940EF
3<, xrefs: 007932D6
mlc@, xrefs: 0079275C
:, xrefs: 007932DD
ggxz, xrefs: 00792685
{l`~, xrefs: 0079268C

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 420ceef4831af59e163f183af3cf3d673a83bdf34a32f5f34a94814c5bfdc28c
Instruction ID: 5f676d07be57f1192d53a7e27d83fb0ff4295e1bfd3eb454c0e54ef24aad265a
Opcode Fuzzy Hash: 420ceef4831af59e163f183af3cf3d673a83bdf34a32f5f34a94814c5bfdc28c
Instruction Fuzzy Hash: 1C33BC70505B81CFDB258F38D590B62BBE1BF16304F58899DD4DA8BB92C739E806CB61

Function 00789F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

kW, xrefs: 0078A380
=], xrefs: 0078A36A
(a*c, xrefs: 0078A147
S], xrefs: 0078A636
WQ, xrefs: 0078A62B
?m,o, xrefs: 0078A13C
WH, xrefs: 0078AA1C
sm, xrefs: 0078A830
/), xrefs: 0078A66D
CG, xrefs: 0078AA32
N[, xrefs: 0078A375
hi, xrefs: 0078AB9D
%e6g, xrefs: 0078A152
]{, xrefs: 0078A1E7, 0078A1F3
Gt, xrefs: 00789FF8
_Y, xrefs: 0078A641
JG, xrefs: 0078AA27

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: da2a265dd29cb1bd35a9f9247c2c3f31199d49002a34d00e4922bb783ebc74a3
Instruction ID: 12f48246bec6cd46775271cf75ddb3e503baeadcaecb0df87044de139077f199
Opcode Fuzzy Hash: da2a265dd29cb1bd35a9f9247c2c3f31199d49002a34d00e4922bb783ebc74a3
Instruction Fuzzy Hash: 8552C6B444D385CAE270CF25D581B8EBAF1BB92740F608A1DE2ED9B255DBB48045CF93

Function 00789510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

T#a-, xrefs: 00789AE3
;IJK, xrefs: 0078983E
B?Q9, xrefs: 00789B0B
B7U1, xrefs: 00789AFB
,A&C, xrefs: 0078982E
8;, xrefs: 00789B13
O+f), xrefs: 00789634, 0078963D
pq, xrefs: 007899E0
X/R), xrefs: 00789AEB
L3Y=, xrefs: 00789B03
G+X5, xrefs: 00789AF3
!E4G, xrefs: 00789836
G'M!, xrefs: 00789ADB
2A"_, xrefs: 00789980
z=Q?, xrefs: 00789826
?M0K, xrefs: 00789968

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: d921508736ddd97d704461b49153591ea90f60c0bca0d466ba352bca5e880408
Instruction ID: 9b7a2d79d7b2ab0d32053e70ee1b83d655a8f9a34d6bcbadf4edb2522ca087ab
Opcode Fuzzy Hash: d921508736ddd97d704461b49153591ea90f60c0bca0d466ba352bca5e880408
Instruction Fuzzy Hash: 7FF131B4508381ABD310EF55D881A2BBBF4FB86744F184E1CF5D59B252E378D908CBA6

Function 0078DD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON

Download Yara Rule

Strings

hX]N, xrefs: 0078DDC7
)IgK, xrefs: 0078E261
n\+H, xrefs: 0078DDC0
%*+(, xrefs: 0078E143
x, xrefs: 0078E9C5
=]+_, xrefs: 0078E276
-M2O, xrefs: 0078E25A
{E, xrefs: 0078E323
x, xrefs: 0078E403, 0078E664, 0078E7BD
Y9N;, xrefs: 0078E245
upH}, xrefs: 0078DE8A, 0078E798, 0078DF4A
<Y.[, xrefs: 0078E27D
,Q?S, xrefs: 0078E26F
rx, xrefs: 0078E92E

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: x$%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$rx$upH}${E$x
API String ID: 0-1821565524
Opcode ID: eb58ebd9a2a95e2c121fcb5b9601e23cd65c52bf1adb51471bb4fe530b78b78c
Instruction ID: b4ac98a217791df672d905734432b83d5d98df9e44609c895b7dfbd264014052
Opcode Fuzzy Hash: eb58ebd9a2a95e2c121fcb5b9601e23cd65c52bf1adb51471bb4fe530b78b78c
Instruction Fuzzy Hash: D2920871E00215CFDB14CF68D851BAEBBB2FF49320F698268E456AB391D7399D01CB90

Function 00932DB5 Relevance: 11.5, Strings: 8, Instructions: 1535COMMON

Download Yara Rule

Strings

7W}u, xrefs: 0093318C
u4w_, xrefs: 0093398C
$~nO, xrefs: 00934001
31M, xrefs: 00933EEA
Uy2, xrefs: 00933251
F8Se, xrefs: 00933571
O8O, xrefs: 009339F3
c7O, xrefs: 00933A68

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: $~nO$31M$7W}u$F8Se$O8O$Uy2$c7O$u4w_
API String ID: 0-3578337509
Opcode ID: 00647b3f705a03d9d539b5133eedc4d53966207cc82dc80237e34a28387d4c73
Instruction ID: d69d137cf7dfd6a0ee069f15d64350d4b3ef99af840f5d158c5b6fd2094751d7
Opcode Fuzzy Hash: 00647b3f705a03d9d539b5133eedc4d53966207cc82dc80237e34a28387d4c73
Instruction Fuzzy Hash: DFA2E4F360C6009FE304AE29EC8567AFBE9EF94720F16893DE6C4C7344EA3558458697

Function 0078098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

9.5^, xrefs: 00780F9F
{, xrefs: 00781502
cah`, xrefs: 0078107E
,#15, xrefs: 00780F94
%*+(, xrefs: 00780A77, 00780A86
&> &, xrefs: 00780F89
gce/, xrefs: 00781073
qrqp, xrefs: 00781089

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 62db8d6ffe1266648bb8a183b9767fd193c4694ac970ec075babd8d6619eff49
Instruction ID: a95dd9974bb5c1fafea50b14e0975c5fca63c5234365a58fffefdecce9296705
Opcode Fuzzy Hash: 62db8d6ffe1266648bb8a183b9767fd193c4694ac970ec075babd8d6619eff49
Instruction Fuzzy Hash: 9762AAB1648381CBD330DF14D895BABB7E1FF96314F08892DE49A8B641E3399945CB93

Function 00761000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00762226
0123456789abcdefxp, xrefs: 00761587, 007615F8
@, xrefs: 00762C40
gfff, xrefs: 00762297
-, xrefs: 007621ED
gfff, xrefs: 007622E1
0123456789ABCDEFXP, xrefs: 0076157D, 007615EB

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 68d05bff885936a490ecd889baf38b19a87956a35c5702cdc10f17964d01b195
Instruction ID: 738ea4fe0c543a4e924bceee795edbfbf1487afaeb692aaca5fcc29177ffe889
Opcode Fuzzy Hash: 68d05bff885936a490ecd889baf38b19a87956a35c5702cdc10f17964d01b195
Instruction Fuzzy Hash: B3D2E7716087418FD718CE29C49436ABBE2AFD5314F18CA2DE89AC7392D778DD45CB82

Function 00939627 Relevance: 10.3, Strings: 7, Instructions: 1593COMMON

Download Yara Rule

Strings

,K, xrefs: 00939F88
%"3M, xrefs: 0093A5D7
6|O, xrefs: 0093A572
!}n, xrefs: 009397E7
r42], xrefs: 0093A148
2|O, xrefs: 0093A577
^~>, xrefs: 0093A5E3

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: !}n$%"3M$2|O$6|O$r42]$,K$^~>
API String ID: 0-233287712
Opcode ID: b7807363c9b0d500ea1980c20e5050f26811891129902ef24b3bfc1fe6c4860a
Instruction ID: 5dd2c2e08ca0ece3e55e6e997846ff31fecbd341c010e8ceea55c768872829c5
Opcode Fuzzy Hash: b7807363c9b0d500ea1980c20e5050f26811891129902ef24b3bfc1fe6c4860a
Instruction Fuzzy Hash: C4B218F390C6049FE304AE2DEC8567ABBE5EF94720F168A3DEAC4C7744E63558018697

Function 00937C2D Relevance: 7.9, Strings: 5, Instructions: 1606COMMON

Download Yara Rule

Strings

i#{, xrefs: 00938BBF
:-o:, xrefs: 009389F0
G`/_, xrefs: 00938B7C
_s?3, xrefs: 00938A31
rS*+, xrefs: 009382BD

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: :-o:$G`/_$_s?3$i#{$rS*+
API String ID: 0-4051887587
Opcode ID: 015f476cbe4d74ce5065e2882ead40c5efbd5912de2e33c3a52510c6437b0faf
Instruction ID: 532f3e659546a1e1e7434338b6456d2f2eec043f839e658d62bee404236995d0
Opcode Fuzzy Hash: 015f476cbe4d74ce5065e2882ead40c5efbd5912de2e33c3a52510c6437b0faf
Instruction Fuzzy Hash: FAB2E6F360C6049FE314AE2DEC8577ABBE9EB94720F1A493DEAC4C3744E63558018697

Function 007612F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 00761DC1
@, xrefs: 00763531
0, xrefs: 0076243E
i, xrefs: 007628EA
0, xrefs: 00761E88

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: e6284fa3000576a60e723ddd0b67e1787d26fe7544acfbe22d2350ec23abf5ea
Instruction ID: 5be16526ce276a724d71ca1c3cf83a5b48fba6dd811b0167fdadbdaec31b171f
Opcode Fuzzy Hash: e6284fa3000576a60e723ddd0b67e1787d26fe7544acfbe22d2350ec23abf5ea
Instruction Fuzzy Hash: B562E47160C7818BC319CF28C49476ABBE1AFD5304F188A5DECDA97292D778D94ACB42

Function 0076164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

+, xrefs: 00761573
0123456789abcdefxp, xrefs: 00761659
gfff, xrefs: 00761F57
gfff, xrefs: 00761F3C
0123456789ABCDEFXP, xrefs: 0076164F

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: d7cb75d44845fb0ccfad7e23776a62f470930825df5b051a2c67ade8a9c749c7
Instruction ID: 46d3d21ab6df9f9f847179991ef1f67f530cd9d9b6e183e7a7602d524bc3a8ec
Opcode Fuzzy Hash: d7cb75d44845fb0ccfad7e23776a62f470930825df5b051a2c67ade8a9c749c7
Instruction Fuzzy Hash: 32F1923160C7818FC715CE29C48426AFFE2AFD9304F188A6DE8DA87356D778D945CB92

Function 0092F777 Relevance: 6.6, Strings: 4, Instructions: 1640COMMON

Download Yara Rule

Strings

JgV|, xrefs: 0093004A
D%m, xrefs: 00930447
%s][, xrefs: 00930AAD
ME@P, xrefs: 00930065

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %s][$D%m$JgV|$ME@P
API String ID: 0-3563046543
Opcode ID: 8d82ab1b148ec3cc3b02b17fcbcfbef7b5a951f4e6f4e08af9f949400e1b0eee
Instruction ID: 7bc4d4c277385ece51bed8a8c6fd029eb2a53f1df52626bdbcc199ee8347bf0b
Opcode Fuzzy Hash: 8d82ab1b148ec3cc3b02b17fcbcfbef7b5a951f4e6f4e08af9f949400e1b0eee
Instruction Fuzzy Hash: 38B23BF3A082109FE3046E2DEC8577AB7E9EFD4720F1A463DEAC4C7744E97598058692

Function 007613A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 007613AD
gfff, xrefs: 00761F57
gfff, xrefs: 00761F3C
-, xrefs: 00761F23
0123456789ABCDEFXP, xrefs: 007613A3

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 8a7a15855cd0d20aca4b8eb79d6115c8d0d5409f79c556d78faa845ec50b93b5
Instruction ID: 1aee3c27eb0bba9e0efb300ba18a7d9098975839cc3c959993dc155f65f8bcfc
Opcode Fuzzy Hash: 8a7a15855cd0d20aca4b8eb79d6115c8d0d5409f79c556d78faa845ec50b93b5
Instruction Fuzzy Hash: 10D18F7160C7818FC715CE29C48466AFFE2AFD9304F08CA6DE8DA87356D638D949CB52

Function 0078FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

m1s3, xrefs: 0078FEC3, 0078FECB
NA_I, xrefs: 0079036D
:, xrefs: 00790087
uvw, xrefs: 0078FE95

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 2110bedc4cf1933e6ba9b6d7ff5a56121517c277b860fd98d2cb9769584d8b2c
Instruction ID: f7f7301a8de23cda61fe416d75168ee5856f0178ea725e3e5f11cecd657250c4
Opcode Fuzzy Hash: 2110bedc4cf1933e6ba9b6d7ff5a56121517c277b860fd98d2cb9769584d8b2c
Instruction Fuzzy Hash: 4032BCB1518380DFD701DF28E890B2ABBE1BB8A340F548A5CF5D58B262D339D915CF96

Function 00773BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00773EC4
ss, xrefs: 00773C79
;z, xrefs: 00773C87
p, xrefs: 00773C80

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: cf5030ac5d3212a1e54cfe57374b8126ab330f6ed898e40aba2131d7b5c8e89b
Instruction ID: 46f7ddca1aa31123d0fe71138f35a4a07cef70efbfac67ee16191c9a5b7865f7
Opcode Fuzzy Hash: cf5030ac5d3212a1e54cfe57374b8126ab330f6ed898e40aba2131d7b5c8e89b
Instruction Fuzzy Hash: 05026DB4910700DFDB60DF25D986B56BFF4FB02340F50895DE89A8B656E335E818CBA2

Function 00782260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

hu, xrefs: 0078232F
lc, xrefs: 00782507
a|, xrefs: 00782317
sj, xrefs: 00782327

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 401ed938c942e89d9a7a19b2e0f762f70b8a13ce82a391a2f344ed4ae3b84f2b
Instruction ID: 1b4d9cf3595611aae66a0d29f23620202611acc81bd152f9eab252cce2768b25
Opcode Fuzzy Hash: 401ed938c942e89d9a7a19b2e0f762f70b8a13ce82a391a2f344ed4ae3b84f2b
Instruction Fuzzy Hash: 97A1AF74448341CBC720EF18C891A2BB7F0FF95755F148A4CE8D99B292E339D952CBA6

Function 0092DCC5 Relevance: 5.3, Strings: 3, Instructions: 1589COMMON

Download Yara Rule

Strings

^>?, xrefs: 0092EE3E
bI?, xrefs: 0092DFD1
V"?c, xrefs: 0092E962

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: V"?c$^>?$bI?
API String ID: 0-1393796213
Opcode ID: 1e94c3fdd9f7d1c4bd788f43cdb152ffa22caa40947f0eee67e8932b13c9685a
Instruction ID: f3c4847fddd87b94fe5226acfac5b94e794ccd413bd712f8ab5cdebde03e6f67
Opcode Fuzzy Hash: 1e94c3fdd9f7d1c4bd788f43cdb152ffa22caa40947f0eee67e8932b13c9685a
Instruction Fuzzy Hash: 24B208F36082049FE304AE2DEC8567AF7E9EF94720F1A893DEAC4C7744E93558058796

Function 0078D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

CV, xrefs: 0078D98B
KV, xrefs: 0078D97D
#', xrefs: 0078D9EA
T>, xrefs: 0078D984

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 2e51ec02297d5595d7e64359b5a910104824d59e48bc19688a0309c891900925
Instruction ID: 68664a5383135e18a42a56cdc3eb71e6e3b005f91c322076794f83d83118f6b0
Opcode Fuzzy Hash: 2e51ec02297d5595d7e64359b5a910104824d59e48bc19688a0309c891900925
Instruction Fuzzy Hash: 1E8155B48017459FCB20EFA5D28556EBFB1FF12300F60460CE486ABA95D334AA55CFE2

Function 0078AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

lk, xrefs: 0078ACBC
,{*y, xrefs: 0078AD07, 0078AD13
(g6e, xrefs: 0078ACA1
4c2a, xrefs: 0078ACA9

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: f9698c1c81587730187de9585ff776085483443a63fceb17e29c7b8b5ea93e33
Instruction ID: c7cd4586cf6651ab523ebb4b69742855cfccd848387bf30cc095052dca2650bf
Opcode Fuzzy Hash: f9698c1c81587730187de9585ff776085483443a63fceb17e29c7b8b5ea93e33
Instruction Fuzzy Hash: 4B41BA74408381DBD720AF20D910BABB7F0FF86305F94995DE5C897250DB39D944CBA6

Function 0078C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0078C8C3, 0078C8CB
~/i!, xrefs: 0078C537
%*+(, xrefs: 0078C9E4, 0078C9ED

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: d89f841afb6e0dd3c1230f984ee7dd90f9a53ce358b6eba5168b399d460f0549
Instruction ID: cdc21941952675bb79640f49d0f42ad979780291dc4a657f8f7f916bc82e879b
Opcode Fuzzy Hash: d89f841afb6e0dd3c1230f984ee7dd90f9a53ce358b6eba5168b399d460f0549
Instruction Fuzzy Hash: 60E198B1918340DFE320AF64D885B1BBBF5FB85344F94892CE6C987251DB39D810CBA2

Function 00768590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 007689F0
), xrefs: 00768616
), xrefs: 0076860C

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 1b892ae04c970f2cb8dc149b29327a49682e12d84cb9e1f408f75127888b4044
Instruction ID: 2ce8b82c06bc6a0272416f57eb6bde02c423727a2418e943e92dd4d5cef59f3f
Opcode Fuzzy Hash: 1b892ae04c970f2cb8dc149b29327a49682e12d84cb9e1f408f75127888b4044
Instruction Fuzzy Hash: BFE1C4B1A087419FD350CF64C84572ABBE0BB94314F148A2DF99697382DB79E914CBD3

Function 007A4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007A40A4, 007A40AD
f, xrefs: 007A420C

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: b5cdefdb5ca3ef5fdee49a3d4f5a04fda39e18445645539e68f21d7da566ad99
Instruction ID: c16dbcde99addc3988063fa401627e36bb0f58c365ef4c63aedb962fdaa638e7
Opcode Fuzzy Hash: b5cdefdb5ca3ef5fdee49a3d4f5a04fda39e18445645539e68f21d7da566ad99
Instruction Fuzzy Hash: 86128D716083419FC715CF18C880B2ABBE5FBCA314F188B6CF49597291D7BAE945CB92

Function 0079F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 0079F7F5
hi, xrefs: 0079F6E6

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 017e8bad54bba123989a402d16d333470d58f48ded0bb98dcf780f987e54e1fe
Instruction ID: e2fe73c7b73a2755188376d9926faf06533989e31a6b2a2c75bcf0af752dea36
Opcode Fuzzy Hash: 017e8bad54bba123989a402d16d333470d58f48ded0bb98dcf780f987e54e1fe
Instruction Fuzzy Hash: 73F19571618341EFE704CF24D891B2ABBF6FB86355F148A2CF0958B2A2D738D945CB16

Function 007635B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00763607
NaN, xrefs: 0076360E

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 0c2e65d3c15cde7d3ff98cd64ece5d88a3acb3fd2b846679ef0bc256ede77d72
Instruction ID: c62e56b053558637b06cbfb3aafc1837523c527089eb0c655a9c0ac6701e6071
Opcode Fuzzy Hash: 0c2e65d3c15cde7d3ff98cd64ece5d88a3acb3fd2b846679ef0bc256ede77d72
Instruction Fuzzy Hash: 06D1D471A183119BC704CF68C88065BBBE1EFC8750F158A2DFD9A973A1E679DD05CB82

Function 0077FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 007800F6
BaBc, xrefs: 00780197

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: adc6a0edc7427668d001c2ec7c267cd24a4ac5007830d5361728cf841a9ad130
Instruction ID: ab39732ac3143cff04d35c9d465fc8009aebf12598f0b43fbed4123c4926199f
Opcode Fuzzy Hash: adc6a0edc7427668d001c2ec7c267cd24a4ac5007830d5361728cf841a9ad130
Instruction Fuzzy Hash: B151BBB16483818BD331EF14C885BABB7E0FF96320F18491DE49A8B651E3789944CB97

Function 00765160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 007654C8

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: ebc4012190433e082fdd83a87c93afaab3043a7846e59496079c2c9d88806169
Instruction ID: e9305cf3680d6ec0aec129a959604d98c39efe090a94f86fc6034d05a92d706e
Opcode Fuzzy Hash: ebc4012190433e082fdd83a87c93afaab3043a7846e59496079c2c9d88806169
Instruction Fuzzy Hash: 3922E4B6A08B42CBE7158E18D940326BBA3AFE0718F1D856DDC9B4B341EB79DC04E741

Function 007912D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 007915D1

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: cf220ae1563ca53d1cb1f40e0f845a342bc830b4270df8ea48c7db9161f84196
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: AEF13771A083428FCB25CF28D450A3BBBE5AFC5350F59C96DE89A87382D638DD15C792

Function 0078AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0078B2D3, 0078B2DB

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f2d53d1172a9a36abb36d151d3abc3393e92cbbacc24adabf22fdf5b4e4650ce
Instruction ID: 76b17aee8b9804732bce6c31befc99853b3602083bf34be5b773ae45cebf2b28
Opcode Fuzzy Hash: f2d53d1172a9a36abb36d151d3abc3393e92cbbacc24adabf22fdf5b4e4650ce
Instruction Fuzzy Hash: 7BE1AE71548306DBC314EF28C890A6EB7E2FF99791F648A1CE4C587221E339E955CB92

Function 00776EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00776EF3

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3341a7fd20222c0297f6960464671a97c23f076c26bd1dca3d1c92865a46a887
Instruction ID: 00377abf6c3a0b90e30872cfbd35f6b7f0d1b41f7a7f395dc7dae3b5ef7e99bc
Opcode Fuzzy Hash: 3341a7fd20222c0297f6960464671a97c23f076c26bd1dca3d1c92865a46a887
Instruction Fuzzy Hash: CAF1B0B5600B01CFCB259F64D881A26B3F2FF89354B14CA2DD49B87A91EB38F815CB54

Function 00787E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00788263, 0078826B

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 65ae47e568abc5d12313e7c84f11c04f302b733c5d1d99d373bbe7a2bd507a25
Instruction ID: e59c5405be3bef7952b3df978393816c315082ccef4a049b7299a70d29d714da
Opcode Fuzzy Hash: 65ae47e568abc5d12313e7c84f11c04f302b733c5d1d99d373bbe7a2bd507a25
Instruction Fuzzy Hash: 8CC1C071948200ABD711BF14C886A2BB7F5EF95754F98881CF8C597251EB39DC11CBA3

Function 00788D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00789233, 0078923B

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: c16e4465f4e138321f061da0fc3f319e70b3c352b1018f6b112f10acdb383012
Instruction ID: a34d48f0c27707bf8651ef7a547fd94c11456539487d15fc60c44066c75e2290
Opcode Fuzzy Hash: c16e4465f4e138321f061da0fc3f319e70b3c352b1018f6b112f10acdb383012
Instruction Fuzzy Hash: 70D1BC70618302DFD704EF68DC90B2AB7E5FF89304F59896CE98687291DB39E850CB95

Function 00774487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

BIw, xrefs: 0077485E

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: BIw
API String ID: 0-1669697647
Opcode ID: 384635ba0cf3cad3e0dc82f09fb29c07de4b312da2cbe5ad863089438039dbd3
Instruction ID: c8130792cd65edb189e703166d7ac1d917297fbafc30537199d087b5d3f3e2a1
Opcode Fuzzy Hash: 384635ba0cf3cad3e0dc82f09fb29c07de4b312da2cbe5ad863089438039dbd3
Instruction Fuzzy Hash: 59E100B5601B00CFD725CF28D996B97B7E1FF46704F04886CE4AAC7A52E739B8148B54

Function 007A7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 007A8167

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: ea2c11b5880252b34c29800635dc49816db495ece1228ca685ee1a0d78f3e74f
Instruction ID: 791f48a88d83920db1cc0218418ffaf917167c6f8cc6e7316c5112a4c1f1a5bb
Opcode Fuzzy Hash: ea2c11b5880252b34c29800635dc49816db495ece1228ca685ee1a0d78f3e74f
Instruction Fuzzy Hash: B2D1C5729082658FC765CE18D49072EB6E1EBC6718F158B3CE8A5AB380DB79DC05C7C2

Function 007A6CBF Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"pz, xrefs: 007A7015

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: "pz
API String ID: 0-1533520456
Opcode ID: 8baa69eb9778b87cef813928a2493ecf8764969b4042dd9cd4fbaec18c53204c
Instruction ID: 89357be7356009244f46b3230334b07494056f68d652f5764f30d2cd38311f07
Opcode Fuzzy Hash: 8baa69eb9778b87cef813928a2493ecf8764969b4042dd9cd4fbaec18c53204c
Instruction Fuzzy Hash: 97D1F43661C751CFC715CF78D880A2ABBE1BB8A314F098A6CD491C7391D739DA44CB95

Function 0078CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0078CDC3, 0078CDCB

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 4c39f96310d3a37b4ac22a3244d4ba378fbe5218f0ebed83a646dbd102c0f475
Instruction ID: 4741531c7c173167b36b58ea9be3f195c3ab05ade4a4df1e77970b2600ccccd1
Opcode Fuzzy Hash: 4c39f96310d3a37b4ac22a3244d4ba378fbe5218f0ebed83a646dbd102c0f475
Instruction Fuzzy Hash: E8B103716483018BE715EF64D880B2BBBE2EF85350F14492CE5C58B392E339DC55CBA2

Function 0076A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0076A9C3

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 3ec4c09ceaeeb4fa0b7923608b9664a840b59a2b8576ecf09d7c78e96a0f9ded
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: D4B138701083819FD325CF18C88061BFBE1AFA9704F588A2DF5DA97742D675EA18CB67

Function 0079FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0079FCA4, 0079FCAD

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5897355866e286ed5e2e4bcf641d837041f9fd102893c6cc8192253f3e9efab5
Instruction ID: 2b331aaf2e280cd0e58c12839c0a7b60451d63b683f80a19dc56fc041733d596
Opcode Fuzzy Hash: 5897355866e286ed5e2e4bcf641d837041f9fd102893c6cc8192253f3e9efab5
Instruction Fuzzy Hash: A181BE71609300EFDB10DF58E885B2AB7E5FB8A705F14892CF584D7252E739D815CBA2

Function 0077D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0077D663, 0077D66B

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 9ea54a62cab4e3538bfca3befd6ddd7e5b4958f45a3895210366c8afa915069a
Instruction ID: 3bd82c42e3e4a478784f8baf432cf8a0ad4d9e67c382668d9172d5113b0141d8
Opcode Fuzzy Hash: 9ea54a62cab4e3538bfca3befd6ddd7e5b4958f45a3895210366c8afa915069a
Instruction Fuzzy Hash: F761B171908204DBDB25AF58DC42A3BB3B4FF95394F088528F98A9B251E739ED10C796

Function 007A4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007A4C33, 007A4C3B

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d94be2ecf0ee278f8b58d67fca5a00909d66effeef151a0af3f93f88d40ea78d
Instruction ID: 0d541fd27998169d98f4f88ec74277de7d91c1b17280dcea787e7a51f82e3fad
Opcode Fuzzy Hash: d94be2ecf0ee278f8b58d67fca5a00909d66effeef151a0af3f93f88d40ea78d
Instruction Fuzzy Hash: BC61E1B16093019FD715DF15C880B2AB7E6EBC6324F188B1CE5C987291D7BAEC41CB66

Function 0076E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0076E333

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 3d87983834579cba4d9306ae04a925ba17e3f7eee71e013ad4320bf20d9fac47
Instruction ID: 889a82d5d8a2e023fd4e28bfa7b98f1b28bfbdf631ea066e8824fc0781e308f6
Opcode Fuzzy Hash: 3d87983834579cba4d9306ae04a925ba17e3f7eee71e013ad4320bf20d9fac47
Instruction Fuzzy Hash: 0851283BA19A904BD329893D4C653AA7AC71BD3334B3DC769EDF28B3E5D55D480443A0

Function 007A3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007A39E3, 007A39EB

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 105a48dfc7ba011338b221bdc6b8390068e804ea41f53e5f97b0027f573a9947
Instruction ID: 785a59bb554033eb810d0d6275d8f5fd6720495d560ffbf691041947cece100e
Opcode Fuzzy Hash: 105a48dfc7ba011338b221bdc6b8390068e804ea41f53e5f97b0027f573a9947
Instruction Fuzzy Hash: 28518D706092009BCB28DF15D884B2AB7E5EBC6749F14CA1CF4CA97251D779ED10CB62

Function 00870A92 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

Zg~, xrefs: 00870C0C

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: Zg~
API String ID: 0-3614772043
Opcode ID: 6c8ecf90c766e62a882881054b0d0f13cd77c9d2c3861af89f341c3a469d967f
Instruction ID: 38dab12c44f6396ae62f8c4aa3239ee014182cb07c3a852990e9c94e0571ad58
Opcode Fuzzy Hash: 6c8ecf90c766e62a882881054b0d0f13cd77c9d2c3861af89f341c3a469d967f
Instruction Fuzzy Hash: F04138F7A186144BF3046D3CEDA937AB685EB54310F2B463DDAC5D7BC4E43D49094286

Function 00771BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00771C3E

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: c11ed7265f31adcb3e648a881a4629a4cbd92d6335293fd2270b31191f4d8bea
Instruction ID: 0ff88d41f2791f77801e92e4772a5dc5984b820c6f5057c20c2454f12677b857
Opcode Fuzzy Hash: c11ed7265f31adcb3e648a881a4629a4cbd92d6335293fd2270b31191f4d8bea
Instruction Fuzzy Hash: 1D4166B41083809BCB149F58C854A2FBBF0FF86354F44891CF5C99B291D73AC915CB6A

Function 0079FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007A0033, 007A003B

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b55aa0ce2fe0e2ce20b89136bf21e1cad17d3490c02546a7cbd71c8b870e8893
Instruction ID: 1e14db559d3c6fe194459fef238d4ba9bec0643a70e7cc805c76154bac7b0e0e
Opcode Fuzzy Hash: b55aa0ce2fe0e2ce20b89136bf21e1cad17d3490c02546a7cbd71c8b870e8893
Instruction Fuzzy Hash: 7C31E3B1A08301ABD610EA54DC85F2BB7E9EBC7754F544E28F88597252E339DC14C7A3

Function 0078E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0078E6A2

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: d93fb49bbb055ca07f775359fecef8bd6c654ea37f4645008437d5143bfe8a73
Instruction ID: af96a838625558a3e9e1a4660226492898e4964126b1e6ef57c1089e18ad04a8
Opcode Fuzzy Hash: d93fb49bbb055ca07f775359fecef8bd6c654ea37f4645008437d5143bfe8a73
Instruction Fuzzy Hash: 6131F8B5A00285CFDB20DF95E894A6FB7B4FB06344F94456CE446A7301D339AD04CBA2

Function 00776F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0077703B

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 35081e79fc1285c43b4bc2cf1ce31be070b6467b9f225b76d8122c9f3c0e4d7e
Instruction ID: d8ac48c8a9ae0a35653473c19a5358ac790abaa3da351ab23ec8ff463b6849ec
Opcode Fuzzy Hash: 35081e79fc1285c43b4bc2cf1ce31be070b6467b9f225b76d8122c9f3c0e4d7e
Instruction Fuzzy Hash: 86417B75204B00DBDB348F61C994F26B7F2FB4A345F14C918E58A97A61E739F810CB24

Function 0078E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0078E6A2

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 53b0b3b72eb1649aa405939a1f1d78fbb59cd8d83fbca36bf5dd3c3aa49789f2
Instruction ID: eab4932cbac68c3521c45d294b3799758fd620d45d25bd0692d545c35cfbca3a
Opcode Fuzzy Hash: 53b0b3b72eb1649aa405939a1f1d78fbb59cd8d83fbca36bf5dd3c3aa49789f2
Instruction Fuzzy Hash: 6821E5B1A00284CFD720DF95D894A6FBBB5BB0A740F94495CD446A7301D339AD00CBA5

Function 007A9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 007A9D30

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c39c752bc098bee0b5bc47277e56b8acd76a19c31ef2dcd95c1060cdcfc579e8
Instruction ID: 52bfe49a4f4ef5a50c33e7555710e805dce80a61bf26945c5cff2a6c608953a3
Opcode Fuzzy Hash: c39c752bc098bee0b5bc47277e56b8acd76a19c31ef2dcd95c1060cdcfc579e8
Instruction Fuzzy Hash: 9D3178706083009BD314EF15D880A2AFBF9EFDA314F148A2CE6C597251D339D954CBA6

Function 00774E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14deb71b8bc6c6ecd1c0667a2dde7848d6d2424166ea7ead511b1290c07dc73
Instruction ID: 146cecb210288c38bfa8f97f83b1bd9af3af4cebf1729a16c2e30828fca8bde8
Opcode Fuzzy Hash: a14deb71b8bc6c6ecd1c0667a2dde7848d6d2424166ea7ead511b1290c07dc73
Instruction Fuzzy Hash: EA6269B0600B408FDB25CF24C994B27B7F6AF4A744F54896CD49B8BA52E778F814CB91

Function 0076BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 0496252f8e5aa656e53c7023ab0ee2b57172352f161ac8e50404bcbef5df83a8
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 935209316087118BC726DF18D8402BAB3E1FFD5319F298A2DDDC797291E738A851CB86

Function 007A8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5570ebb779e5993bf358328262e3eac6d6d452eb9d02c46cb05a7eba9a29130a
Instruction ID: ac6ccb3114c6d85325fba24501ab1709d0fe5cdbc274b645a2bf96036559cf26
Opcode Fuzzy Hash: 5570ebb779e5993bf358328262e3eac6d6d452eb9d02c46cb05a7eba9a29130a
Instruction Fuzzy Hash: 1022DD35A08345DFCB04DF68E890A2AB7F1FF8A315F098A6DE58987352D739D850CB46

Function 007A86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feca9054ad1859b34b6c3a006f19dc4f996d85351668bbd0a78cf6ef6456fad1
Instruction ID: 17e1639dfb751d62eed85d3b135df04f06a9a37e9af95b26ac56bba6a2e251f7
Opcode Fuzzy Hash: feca9054ad1859b34b6c3a006f19dc4f996d85351668bbd0a78cf6ef6456fad1
Instruction Fuzzy Hash: 9822AB35608345DFC704DF68E890A2ABBF1FF8A305F098A6DE58987352D739E850CB56

Function 0076B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f3d35466f4a057a76e9bef72ddd7cd0ce68f79d568d086e4b650236e8ce396
Instruction ID: e6443ee750bcd4d1bf72d9436dbfffb5a7ae7dd8602f2573920d512506b72601
Opcode Fuzzy Hash: e5f3d35466f4a057a76e9bef72ddd7cd0ce68f79d568d086e4b650236e8ce396
Instruction Fuzzy Hash: 08528370908B848FE735CB24C4847A7BBE2AB92314F14492EC9D786B82D77DA9C5CB51

Function 007671F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfa2b66c76c9c16f9208665bf2871f63c8a2e877e6882671c3cdd2b06aadb6d
Instruction ID: a8e30fd76c281666ab28edfbd5e1e75134999cc208baf3224a2f8aa743ecac76
Opcode Fuzzy Hash: 8bfa2b66c76c9c16f9208665bf2871f63c8a2e877e6882671c3cdd2b06aadb6d
Instruction Fuzzy Hash: 1652D33150C3458FCB19CF28C0906AABBE1BF88358F198A6DFC9A57352D778D949CB81

Function 00768FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be849bce3612d5aa71605faa21544b308e5b1c42a6e7c90c73e9a80a27fe183a
Instruction ID: fb0ded62acda7a12913656659c0e389904e4c5db6e630301befe1218f6b2c343
Opcode Fuzzy Hash: be849bce3612d5aa71605faa21544b308e5b1c42a6e7c90c73e9a80a27fe183a
Instruction Fuzzy Hash: 4F428875608341DFDB04CF28D85079ABBE5BF89315F09886CE9868B3A1D739D985CF42

Function 007A89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3120d5aa2302add01a19443fffd0f0dd6a48b5bc047296ad44831fc79120e35f
Instruction ID: e7274f8b471567a74c38b3288798845eb8102a1ec0bb3cd57e44676ef7ecc17c
Opcode Fuzzy Hash: 3120d5aa2302add01a19443fffd0f0dd6a48b5bc047296ad44831fc79120e35f
Instruction Fuzzy Hash: E4029A35608241DFC704DF68E880A1ABBE1FF8A315F098A6DE5C587362D339D964CB96

Function 007A8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1855bfdd9d603e0677d36932164aaca7a6d82eabbdedceea702309472af126ec
Instruction ID: 7d91965ce5219f3b8de462bfeb044cf69f08930b9b72556381b627610f066084
Opcode Fuzzy Hash: 1855bfdd9d603e0677d36932164aaca7a6d82eabbdedceea702309472af126ec
Instruction Fuzzy Hash: 4FF1783560C341DFC704DF68E880A1AFBE5FB8A315F098A6DE5C987252D73AD910CB96

Function 007A8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325b1c520a0f36c3e272b6f77eee0708879173cfaf31ff7d26b5753f4379b6b1
Instruction ID: cd18172e62d26b90158bc0131177292decfa283dab31a0ece5f67cae52dee3a1
Opcode Fuzzy Hash: 325b1c520a0f36c3e272b6f77eee0708879173cfaf31ff7d26b5753f4379b6b1
Instruction Fuzzy Hash: 70E1AE31608341DFC704DF28E880A6AFBE1FB8A315F098A6DE5D597352D73AD910CB96

Function 00767C8D Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79991d31bf2e76ef55d8e882532bd322bc055f26bb7fe58f36174050c719b271
Instruction ID: 4fb71ac3a50446bc604f7a3a2ce8bf7f19458e871fc091e518bcd0ae0a47c7e1
Opcode Fuzzy Hash: 79991d31bf2e76ef55d8e882532bd322bc055f26bb7fe58f36174050c719b271
Instruction Fuzzy Hash: 09121170614B108FC368CF29C69056AB7F2BF857447604A2EDAA78BF91D73AF845CB10

Function 0076A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 73fbf74c207732382b9ee20dd697e751a1dbf9e8fdbdfb13b375d30e7f9c9db8
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 64F1CE756083419FC725CF29C88166BFBE2BFD8304F08882DE8C687752E639E945CB52

Function 007A8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098a006b97d2e5da225dfeced85e358f39ad2a9ffd62d0a8898667d16bc7b6f8
Instruction ID: c042b223286db651751ccc338af82085fc94478d8cae870c7d4f1b3e02cc019e
Opcode Fuzzy Hash: 098a006b97d2e5da225dfeced85e358f39ad2a9ffd62d0a8898667d16bc7b6f8
Instruction Fuzzy Hash: 65D17C3560C241DFD705EF28D890A2AFBF5FB8A305F098A6DE5C587252D73AD810CB96

Function 007A7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c0bde66b7f714fce792d3b344020bc72f1913d4395049a9f0385863a627062
Instruction ID: d90fc17a97ac1bb3fce8090659b780b4754921b3b0588a1669985ded8e669dd0
Opcode Fuzzy Hash: f7c0bde66b7f714fce792d3b344020bc72f1913d4395049a9f0385863a627062
Instruction Fuzzy Hash: 14B1F772A0C3508BD318DB68CC4576BB7E9ABC6314F084A6CF999D7391E639DC04CB92

Function 0076AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: d34a55cb7ff77d0f5ade4f877d66de8b7cf7c30a4f663d3bb885c1c1f141db9b
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: A4C17CB2A087418FC360CF68DC967ABB7E1FF85318F08492DD5DAC6242E778A155CB46

Function 00776536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8a072bf9ccd96999b2cbe05a93f451ec101fa2ce027058a7b2ca52560e6d94
Instruction ID: 996757e11aef45336d5c1deee7ec4862485470ada7c430ba78e08e6c799ad217
Opcode Fuzzy Hash: cc8a072bf9ccd96999b2cbe05a93f451ec101fa2ce027058a7b2ca52560e6d94
Instruction Fuzzy Hash: DEB100B4600B408FD7258F24C985B27BBF1EF4A744F14885CE8AA8BB52E739F815CB55

Function 007A7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2666bf0502c92b501e4153906521b931db77336a167fe855309680784f8610da
Instruction ID: 822612383208a662364246562fc3e19d58ef3a65a568332916f03b43b1f9a733
Opcode Fuzzy Hash: 2666bf0502c92b501e4153906521b931db77336a167fe855309680784f8610da
Instruction Fuzzy Hash: 3D919D71A08301ABE728DF14CC85B6BB7E5EBC6351F548A1CF58887352E738E950CB92

Function 007AA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957396c68b26edd0165c377afb986e50bde6e9166967d0274ffce17b3766a204
Instruction ID: 0620f3d5be6f1fccd7b127d58107ffc42259c6684f74869240a2357e25ec7b5f
Opcode Fuzzy Hash: 957396c68b26edd0165c377afb986e50bde6e9166967d0274ffce17b3766a204
Instruction Fuzzy Hash: B3817034208705ABDB24DF28D890A2AB7F5FFDA740F558A2CE58587251E739EC10CB92

Function 007964F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d7a7f868b841a2373eb139e842f9d6ead3dd2dafa08ebb4d9178706e5b7238
Instruction ID: b6a16f4452a309abc1939b89f01a63001b7e3f3852556e2e709c1f8dd7feaa77
Opcode Fuzzy Hash: c8d7a7f868b841a2373eb139e842f9d6ead3dd2dafa08ebb4d9178706e5b7238
Instruction Fuzzy Hash: 3B71E633B29A904BCB149D7C6C823A5AA535BD7334B3EC379A9B4CB3E5D52D8C064350

Function 007828E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7c1b3518c3fbc312c56f8113201087b849e50d264b786b2a857c1df1315635
Instruction ID: 24d7507e447fe705ec254b860fab7aa4f33edb4be1f4c67faaec9e229d50368d
Opcode Fuzzy Hash: 0e7c1b3518c3fbc312c56f8113201087b849e50d264b786b2a857c1df1315635
Instruction Fuzzy Hash: 716188B4448340DBD710AF15D841A2BBBF0FFA2765F18891CE9C58B262E339D911CBA6

Function 00787C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1f96b108116b7e8f37ed3919c4439fe5a3adf6080372b8c58f0b00cc353bc7
Instruction ID: 5e7560c37a634dd96748bf1388308084217bb7919039d5d5cd54f783c18997c2
Opcode Fuzzy Hash: 2a1f96b108116b7e8f37ed3919c4439fe5a3adf6080372b8c58f0b00cc353bc7
Instruction Fuzzy Hash: 1051C2B1748204ABDB24AB64CC86B7773B8EF85364F248958F9868B391F379DC01C761

Function 00791860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: dc337207cc080043d503f7cd9e0c145f1bdc01135b8f55debd1bd93372645779
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 3361CF316093429BDB14CE28E58072FBBE2EBC5360FA4C92EE4898B351D278ED959741

Function 007982D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc17323211b08cc2d597079e6f841dc48b353f4285c401ee9c0188fe200055c7
Instruction ID: 08112b2c25f56e02b382c0c8fc03fba9fd6eb3e4d3669057ab7ce6cd1478cc72
Opcode Fuzzy Hash: cc17323211b08cc2d597079e6f841dc48b353f4285c401ee9c0188fe200055c7
Instruction Fuzzy Hash: 5F614923A5A9914BC755893C6C563AA6A831BD3330F3EC36A98B18B3F5CD6D4C054343

Function 007742FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a098c8e2cafc8e057e3f3541d5401fd6bd416622536840434fbd5ac33a47a6
Instruction ID: f7ac35cb81a00060baf65c1911bf8dcce3c8d5742da53aeaf082536b499e4902
Opcode Fuzzy Hash: a8a098c8e2cafc8e057e3f3541d5401fd6bd416622536840434fbd5ac33a47a6
Instruction Fuzzy Hash: 7D81D1B4810B00AFD360EF39D947757BEF4AB06201F508A1DE8EE96695E7346419CBE2

Function 0079E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: e2e6c0f0da906d8e255c3fa153b371c5185014a1782ce8ef5d66e5d8e6b8a593
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: D6515BB16087548FE714DF69D49436BBBE1BBC9318F044E2DE4E987350E379DA088B82

Function 007A7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186cb4d77be2630151c8d4d54b0d469c0528631ad9b4ac1e5176f15e234a5787
Instruction ID: 9e635ee97a5a47e8c483fb834e16a26e1e859c822abdccc1700c7474ef1db159
Opcode Fuzzy Hash: 186cb4d77be2630151c8d4d54b0d469c0528631ad9b4ac1e5176f15e234a5787
Instruction Fuzzy Hash: 3151E63160C2009BC7199E18CC90F2EB7E6EBC6755F288B2CE9D557391D639EC11C7A1

Function 00765A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42441c97bf57196ca57fc1c7365f2cbd53b7160632ffd33edc6b0515e6566ae1
Instruction ID: c7038f5c7d493f5fc90c4b9067e653e42412a1911223f565a5e29ca292b0abb6
Opcode Fuzzy Hash: 42441c97bf57196ca57fc1c7365f2cbd53b7160632ffd33edc6b0515e6566ae1
Instruction Fuzzy Hash: 3D51C1B5A047059FC714DF54C880926BBA1FF85324F19866CEC9B8B352DA39EC42CB92

Function 0078EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf792992d77f4519b23dda79b86c874fd5cf811b8b04ef2832347d9910fc13a5
Instruction ID: 17692a5b95f433d45e59393753a66d30116b5c22dc36d3a61b467262b5e61b4a
Opcode Fuzzy Hash: cf792992d77f4519b23dda79b86c874fd5cf811b8b04ef2832347d9910fc13a5
Instruction Fuzzy Hash: 4F419E74A40315DBDF209F94DC91BADB7B0FF0A300F544548E945AB3A1EB38A951CBA5

Function 007A9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6572f896ae324863930e7ca8725b4b259cffb03aa7954c99c36b1e7e7287e9
Instruction ID: 85f48b3ac45885b947fe8cc61e82d8f4fc7542d67af6f3510dedf89b9208f3c6
Opcode Fuzzy Hash: 9b6572f896ae324863930e7ca8725b4b259cffb03aa7954c99c36b1e7e7287e9
Instruction Fuzzy Hash: 8A419474608300EBD710DF25D990B2FB7E6EBC6720F648A1CF68997251D339E810CB66

Function 008BC577 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e910262c10f40bb64fd93c6fc51c47b5203b9d24408376b74167b4ad1f3780
Instruction ID: b040fa8ffd186d8d1a2050e221260d95d679aa187761f46857bc630349d08307
Opcode Fuzzy Hash: f7e910262c10f40bb64fd93c6fc51c47b5203b9d24408376b74167b4ad1f3780
Instruction Fuzzy Hash: 314112F35687089BE3146A2CEC4977AB6D9EB54310F594A3CBBA4C3380FD799905824A

Function 00772030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb071bd19fd6ea5caf30b9fcdcd6525e75b3b3edcc15912a9e1ca856830bd2f
Instruction ID: d909efc07813feacd1c39105ed8f25a112d0f3553853b102736962cc98cb06f2
Opcode Fuzzy Hash: feb071bd19fd6ea5caf30b9fcdcd6525e75b3b3edcc15912a9e1ca856830bd2f
Instruction Fuzzy Hash: 0A412A32A083654FD75DCE39849023ABBE1AFC5340F09C22EE4EA873D1DA788945D791

Function 00771E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de84a1b39b9f2bda1ec2d2b8bd8955f754c5a3e6abfea3ae29a12eae63a2d6a
Instruction ID: 1793bbc13352f27d91858d4d29bcd26337ee0419b368a93b4059dfa6b6977e10
Opcode Fuzzy Hash: 5de84a1b39b9f2bda1ec2d2b8bd8955f754c5a3e6abfea3ae29a12eae63a2d6a
Instruction Fuzzy Hash: 0C41F4745083809BD721AB58C884B1EFBF5FB96385F148D1CF6C497252C37AD814CB66

Function 007A8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc3b3d69cc98df14e704e240883986fa6432622a15be6f71f0e59c6002d7fb5
Instruction ID: 3fd1497a72da63e2de7a2094df2448a0b899f1bad458219239780f4745523335
Opcode Fuzzy Hash: 9bc3b3d69cc98df14e704e240883986fa6432622a15be6f71f0e59c6002d7fb5
Instruction Fuzzy Hash: 8541C031A092509FC744DF68C49062EFBE6AFDA310F098B6DD4D597292DB78DD018B92

Function 0077D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c68caa781f005ee108ca657f8208189be40fd58a9a98f0659589484a55a776
Instruction ID: 4dd9572a6f43c58255210a1de2a6528e2d3c82c291ae675185a1f8339ed7f427
Opcode Fuzzy Hash: 58c68caa781f005ee108ca657f8208189be40fd58a9a98f0659589484a55a776
Instruction Fuzzy Hash: 3C41BDB1608381CBD7309F14C845BABB7B0FF963A0F048959E58A8B751E7788840CB97

Function 0079F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: d0e8ba2998a46d6b98272ce15bb7f962d130772ebca8fb804f2908fad1b44af1
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 572107329082244BC7249B5DD48163BF7E8EB9A704F16863ED9C4E7296E339DC2487E1

Function 007A67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48a1b955a870372cbbe97e326392ea48b021b2348c0292a628d230cfa7de7d4
Instruction ID: 3aa75fed7539cdfbb56cfe40fe417c83e48f7c9970f0554663073a98c41c961d
Opcode Fuzzy Hash: b48a1b955a870372cbbe97e326392ea48b021b2348c0292a628d230cfa7de7d4
Instruction Fuzzy Hash: 403106705183829AD714CF14C490A2FBBF0EFD6789F54590DF4C8AB261D338D985CB9A

Function 00785E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c26cdaf1c4f041301edebb89ea6d35fa543944c42cbb780af81ce74d7ce9872
Instruction ID: d04f19484be823a75c23a330e9ae425228879aba649f4293461ec3732679a02d
Opcode Fuzzy Hash: 9c26cdaf1c4f041301edebb89ea6d35fa543944c42cbb780af81ce74d7ce9872
Instruction Fuzzy Hash: 5821B070508201DBC310EF28C84592BB7F4EF92764F448A0CF5D99B292E338DA00CBA3

Function 007649A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 36d19e857c268cda47b40cdae77c1c9d13506bfe53b8c6c1b1842706136da938
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 7E31EA71648300ABD7119EA8D88493BB7E1EF85358F18C92CECDB97241D239DC42CB46

Function 007A64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19d5cf4902fcc3c20811cda579910aca367c8d7b4df7befad767233cea3801e
Instruction ID: 676df960b9c0df768b71b07a48568094875e8e7adffc9e75e0a38ab0e3266e9e
Opcode Fuzzy Hash: d19d5cf4902fcc3c20811cda579910aca367c8d7b4df7befad767233cea3801e
Instruction Fuzzy Hash: F621397460C280DBC705EF19D480A2EFBE6EBDA745F188A1CE4C493261D739A851CB66

Function 007A5700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dc4987085d8a16970c608052e364db3862984d3d092fbdd1e17fd74de11842
Instruction ID: f82a22f1097165123fb6ff3c63b1bb427083a8b14ad9a69fb92248de7778eb3e
Opcode Fuzzy Hash: a0dc4987085d8a16970c608052e364db3862984d3d092fbdd1e17fd74de11842
Instruction Fuzzy Hash: 0B119A7591C240EBC301AF28E844E1BBBF5AF97710F058A28E4C49B221D339D811CBA7

Function 0079B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: a7ec7b721ad1f0667397402c903995af6897d31d229b51cdb59ebcc87268006e
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1611E533A051D80ECB168D3CA940565BFA31BE3634B5983D9F4B89B2D2D7269D8A8364

Function 00790B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: e707d510fab99b2c669599a21eb089ec2f97f9dc00094d4f353421cd796e63f4
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: B30188F5A103418FEF21DE94A8D5B3BB2A86F41718F18452CD94A57701DB7DEC05C6D1

Function 0087808E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d367b9927fbeefaa6b08aec7980695a48b2d9f072519e69ed7bd0c32dc7ba
Instruction ID: 6a72e22734913009a94a5cd27229dcb86c5aa36d3f1852474793ea13ab6f09f5
Opcode Fuzzy Hash: 616d367b9927fbeefaa6b08aec7980695a48b2d9f072519e69ed7bd0c32dc7ba
Instruction Fuzzy Hash: 6601D673A082044FE3486D74EC95366B3D1DB58320F17463DCAC6D76C0DE392D048785

Function 0078D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d8eb736b18a33db8ecc4f21aa64de169e00ca2d7d5743bcd5a7d9d1c002048
Instruction ID: ccf279504148e7f0c57aa45536f6beb4a57492b41f785a6eb0c3ef9723fc4ca2
Opcode Fuzzy Hash: f0d8eb736b18a33db8ecc4f21aa64de169e00ca2d7d5743bcd5a7d9d1c002048
Instruction Fuzzy Hash: AC11EFB0418380EFD320AF618494A1FFBE5EB96714F148C0DF5A49B251C379D815CF56

Function 00766EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb885be0d3086641b6ecfc50d27884ab486c61f11ffdc24c11f493ec321ba16b
Instruction ID: 4ab2c36cc1d6132f3a870c8dfcae53d23d60b5c513bcc94ac32d73489fd26d3d
Opcode Fuzzy Hash: fb885be0d3086641b6ecfc50d27884ab486c61f11ffdc24c11f493ec321ba16b
Instruction Fuzzy Hash: 36F0593E75820A0BA210DDAAE8C0C7BF3D6D7CA364B045538EE42C3201CD76E80281E4

Function 0079B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0077C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0077B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 6b97ca09f7ac340537f68709990255066a1205eb578c320ca39de7c81a9d63ce
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: A0F0ECB170455057DF228A549CC4F37BB9CCF87394F190426EC4997103E2655845C3E5

Function 00798220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cbbc5b2f1ffb85f227748664a53444509cc0cdb3320114a3cdc689d75a1928
Instruction ID: 98ba7e22538a8ac59a1f25b773ec62dcc5e1accd4086e7f9ff789e2553ea8ccc
Opcode Fuzzy Hash: 93cbbc5b2f1ffb85f227748664a53444509cc0cdb3320114a3cdc689d75a1928
Instruction Fuzzy Hash: 3601E4B0410700AFC360EF29C445757BBE8EB49714F008A1DE8AECB680D774A5448B82

Function 007A1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 769d7f9857d153565a79eb9cde9cfb971f7c410fb5444f7f58e71d28f670404a
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 3CD0973160836146AF348E1DA400877F7F0EACBB11F88821EF982E3148E230DC00C2A9

Function 00771ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdb8411abdc59d78ab1232c034da3620516edcc2071ecaebf641fc500359a44
Instruction ID: 3d60ca53f43378df287fd907cbeb808b1faee90e2bfe0c12fccdcc76d5c19cd9
Opcode Fuzzy Hash: 9fdb8411abdc59d78ab1232c034da3620516edcc2071ecaebf641fc500359a44
Instruction Fuzzy Hash: 07C080345180408BC204DF44FC9553173BC534B309740F03AD503F3321C628C411950D

Function 007A6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c59fe8f71bfbe96f58bb42656dbac1825d09b515265af290eef8f785c4e5c9d
Instruction ID: 87bc85fcfcfceb13c1785b0a7d418ca2f912fdf08b97c4e68860190923525e33
Opcode Fuzzy Hash: 7c59fe8f71bfbe96f58bb42656dbac1825d09b515265af290eef8f785c4e5c9d
Instruction Fuzzy Hash: 75C09B7465D00097B10CCF04D951D76F3769FD7718724F21DC80623259C13CD553951C

Function 00771A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fc210dbfd3336a069641a2768b167d4279834ff1da09fb5cd8c9e2184fcd57
Instruction ID: d639867fbc9cdb8550e218fb71a4d726c8eb110cc83629eb1f550f3779a2ad8f
Opcode Fuzzy Hash: a2fc210dbfd3336a069641a2768b167d4279834ff1da09fb5cd8c9e2184fcd57
Instruction Fuzzy Hash: 1BC09B34A5D080CBC648DFC9E8D1431A3FC534B249750F03BD747F7261C564D405960D

Function 007A5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127679952.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.2127665280.0000000000760000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.00000000007C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127721087.0000000000A6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127978440.0000000000A70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128100279.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128115597.0000000000C0F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4f4abbe8dceaf0cc26194818220514b2ff958400300bfd20fee34a3d3c77cc
Instruction ID: e89eeddfb4aab4e891bd06ba3d9d7406661e8943e6315aed804a228af4a7dadc
Opcode Fuzzy Hash: 4b4f4abbe8dceaf0cc26194818220514b2ff958400300bfd20fee34a3d3c77cc
Instruction Fuzzy Hash: E6C09264BA80008BB24CCF18DD61E36F2BA9F8BB18B14F22DC806A325AD138D552860C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 0076FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0076D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 007A5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 007A695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0077049B Relevance: .3, Instructions: 264
COMMON

Function 00770228 Relevance: .2, Instructions: 218
COMMON

Function 007A99D0 Relevance: .1, Instructions: 143
COMMON

Function 007A3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 007A3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON