Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528567
MD5:	30f95ad37ec36dbf01a9d0e27d1235a4
SHA1:	f5b3002885d3f29a2d4517dc842728127db3acc8
SHA256:	2d183e51ffc471e6ffd01a38d5c5935c9d723e61ec3d44b7ddf72a52e87a53b2
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 30F95AD37EC36DBF01A9D0E27D1235A4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["studennotediw.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "mobbipenju.stor", "clearancek.site", "eaglepawnoy.stor", "spirittunek.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:10.038599+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49707	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:10.038599+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49707	172.67.206.204	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.086419+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.8	59873	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:06.999657+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.8	52854	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.058225+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.8	61450	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.047353+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.8	59347	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.107623+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.8	55909	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.028262+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.8	51187	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.097101+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.8	52665	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T02:10:07.068467+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.8	55774	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7620.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["studennotediw.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "mobbipenju.stor", "clearancek.site", "eaglepawnoy.stor", "spirittunek.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: sergei-esenin.com	Virustotal: Detection: 11%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 13%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 13%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 13%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DBD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DBD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00DF63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DF5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00DF99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00DF695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00DBFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00DC0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00DF6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00DF4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00DB1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00DEF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00DC6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00DDD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00DC42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00DD2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00DD2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00DBA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00DF64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00DCD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00DF1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00DDC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00DCB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00DDE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00DB8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00DD9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00DC6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00DF7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00DEB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00DDE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00DF67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00DDD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00DF7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00DD28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00DB49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00DCD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00DF3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00DC1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00DB5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00DF4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00DC1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00DC1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00DC3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00DE0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00DCDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00DCDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00DF9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00DDCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DDCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00DDCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DF9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00DF9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00DDAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00DDAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00DDEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00DD7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00DEFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DF8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00DDFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00DDDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00DC1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00DC6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00DBBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00DB6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00DDAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DD5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00DD7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00DC4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00DCFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00DF5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00DB8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00DF7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DF7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00DC6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00DEFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00DD9F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.8:52665 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.8:59347 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.8:55774 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.8:52854 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.8:59873 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.8:55909 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.8:61450 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.8:51187 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49707 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: licendfilteo.site

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.206.204 172.67.206.204

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0u0umcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: mcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store/api
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/api
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dissapoiznw.store/api
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site/api
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/3
Source: file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiUk
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/mk(F
Source: file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/s
Source: file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store/api=k
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1476673720.0000000001810000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store/api
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.8:49707 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC0228	0_2_00DC0228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFA0D0	0_2_00DFA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF4040	0_2_00DF4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB1000	0_2_00DB1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC2030	0_2_00DC2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB71F0	0_2_00DB71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBE1A0	0_2_00DBE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB5160	0_2_00DB5160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109	0_2_00F75109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F892F3	0_2_00F892F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE82D0	0_2_00DE82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE12D0	0_2_00DE12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB12F7	0_2_00DB12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE23E0	0_2_00DE23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB13A3	0_2_00DB13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBB3A0	0_2_00DBB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7A337	0_2_00F7A337
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBA300	0_2_00DBA300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE64F0	0_2_00DE64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC049B	0_2_00DC049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC4487	0_2_00DC4487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDC470	0_2_00DDC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCC5F0	0_2_00DCC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E695A4	0_2_00E695A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB8590	0_2_00DB8590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB35B0	0_2_00DB35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4F574	0_2_00E4F574
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF86F0	0_2_00DF86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF8652	0_2_00DF8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB164F	0_2_00DB164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEF620	0_2_00DEF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F877F9	0_2_00F877F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB8C0	0_2_00DEB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEE8A0	0_2_00DEE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBA850	0_2_00DBA850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE1860	0_2_00DE1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7D823	0_2_00F7D823
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6D9A6	0_2_00E6D9A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD098B	0_2_00DD098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF89A0	0_2_00DF89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF8A80	0_2_00DF8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF7AB0	0_2_00DF7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF4A40	0_2_00DF4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB7BF0	0_2_00DB7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCDB6F	0_2_00DCDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDCCD0	0_2_00DDCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7BCF9	0_2_00F7BCF9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE9CF1	0_2_00EE9CF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF6CBF	0_2_00DF6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF8C02	0_2_00DF8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F76C03	0_2_00F76C03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F78C0B	0_2_00F78C0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD8D62	0_2_00DD8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDFD10	0_2_00DDFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDDD29	0_2_00DDDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F80D00	0_2_00F80D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8AD03	0_2_00F8AD03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC6EBF	0_2_00DC6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBBEB0	0_2_00DBBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DDAE57	0_2_00DDAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF8E70	0_2_00DF8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC4E2A	0_2_00DC4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB8FD0	0_2_00DB8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF7FC0	0_2_00DF7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBAF10	0_2_00DBAF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00DBCAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00DCD300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995874587458746
Source: file.exe	Static PE information: Section: xmuksiop ZLIB complexity 0.9941815374544627

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00DE8220 CoCreateInstance,

0_2_00DE8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1856512 > 1048576

Source: file.exe

Static PE information: Raw size of xmuksiop is bigger than: 0x100000 < 0x19bc00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.db0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xmuksiop:EW;qbjqiedn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xmuksiop:EW;qbjqiedn:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1cd536 should be: 0x1ccc0f

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xmuksiop
Source: file.exe	Static PE information: section name: qbjqiedn
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB70CF push ebp; mov dword ptr [esp], ebx	0_2_00FB7127
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101015D push 6E34BE9Ch; mov dword ptr [esp], eax	0_2_01010825
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01252179 push ebp; mov dword ptr [esp], 35F550E1h	0_2_012521E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01252179 push ecx; mov dword ptr [esp], ebp	0_2_0125220F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8D074 push 1131B9E9h; mov dword ptr [esp], esi	0_2_00E8D171
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100A1BA push 23F7DBE6h; mov dword ptr [esp], edx	0_2_0100A23D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010041CE push ebx; mov dword ptr [esp], 35D788F0h	0_2_01004229
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010041CE push 114A06B1h; mov dword ptr [esp], ebx	0_2_010042A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010461FF push esi; mov dword ptr [esp], ebp	0_2_010462CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102E1FE push esi; mov dword ptr [esp], esp	0_2_0102E227
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102E1FE push 20CA137Ah; mov dword ptr [esp], ebx	0_2_0102E28C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB41F8 push ecx; mov dword ptr [esp], 1DBB57E1h	0_2_00FB4237
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D030 push 7A21426Fh; mov dword ptr [esp], esi	0_2_0100D041
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105E058 push eax; mov dword ptr [esp], edi	0_2_0105E0EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104A074 push eax; mov dword ptr [esp], ebp	0_2_0104A0BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102E085 push 708FC9B4h; mov dword ptr [esp], edx	0_2_0102E0F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010080BE push esi; mov dword ptr [esp], eax	0_2_010080E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED2135 push ebx; mov dword ptr [esp], ecx	0_2_00ED213F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED2135 push edx; mov dword ptr [esp], ebx	0_2_00ED2195
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104F0E5 push eax; mov dword ptr [esp], ecx	0_2_0104F953
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9F10D push esi; mov dword ptr [esp], ecx	0_2_00F9F117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push 2B1608C6h; mov dword ptr [esp], ebx	0_2_00F75139
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push 5B712B62h; mov dword ptr [esp], esp	0_2_00F751A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push ebp; mov dword ptr [esp], eax	0_2_00F75239
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push 346D6843h; mov dword ptr [esp], edi	0_2_00F7524B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push edx; mov dword ptr [esp], ebx	0_2_00F75264
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push ebp; mov dword ptr [esp], edi	0_2_00F75289
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push 4C2A1A1Dh; mov dword ptr [esp], edx	0_2_00F752B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push 1F736463h; mov dword ptr [esp], edi	0_2_00F752D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push ecx; mov dword ptr [esp], edx	0_2_00F75345
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F75109 push edi; mov dword ptr [esp], edx	0_2_00F7542F

Source: file.exe	Static PE information: section name: entropy: 7.983406795783042
Source: file.exe	Static PE information: section name: xmuksiop entropy: 7.953920296605131

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E14069 second address: E1406F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1406F second address: E14087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCFD96F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90AED second address: F90AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90AF3 second address: F90B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a jg 00007FB8DCFD96ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90B05 second address: F90B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FB8DCECAB36h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90B13 second address: F90B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90B23 second address: F90B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB49h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FC3E second address: F8FC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007FB8DCFD96E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FD83 second address: F8FD96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FF46 second address: F8FF4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FF4C second address: F8FF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F90226 second address: F9022C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92331 second address: F9237F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jmp 00007FB8DCECAB43h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 push ecx 0x00000017 jmp 00007FB8DCECAB42h 0x0000001c pop ecx 0x0000001d pop edi 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 jmp 00007FB8DCECAB3Fh 0x00000028 pop edi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9237F second address: F92385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92407 second address: F9246D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007FB8DCECAB42h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FB8DCECAB38h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov edx, dword ptr [ebp+122D1AD6h] 0x00000031 mov edx, ebx 0x00000033 push 00000000h 0x00000035 jg 00007FB8DCECAB36h 0x0000003b push ADF2B733h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9246D second address: F92473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92473 second address: F92478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92478 second address: F924D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB8DCFD96F0h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 520D494Dh 0x00000012 jmp 00007FB8DCFD96F6h 0x00000017 push 00000003h 0x00000019 sub dword ptr [ebp+122D330Ch], edi 0x0000001f push 00000000h 0x00000021 jnp 00007FB8DCFD96EAh 0x00000027 mov di, C7B8h 0x0000002b push 00000003h 0x0000002d mov si, 8000h 0x00000031 push 925D71CBh 0x00000036 push eax 0x00000037 push edx 0x00000038 jg 00007FB8DCFD96ECh 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F924D4 second address: F924D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F924D8 second address: F924F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCFD96F5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F925DC second address: F92654 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c clc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FB8DCECAB38h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1A1Fh], eax 0x0000002f call 00007FB8DCECAB39h 0x00000034 jng 00007FB8DCECAB43h 0x0000003a jmp 00007FB8DCECAB3Dh 0x0000003f push eax 0x00000040 pushad 0x00000041 jno 00007FB8DCECAB45h 0x00000047 push esi 0x00000048 push edx 0x00000049 pop edx 0x0000004a pop esi 0x0000004b popad 0x0000004c mov eax, dword ptr [esp+04h] 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92654 second address: F9265A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9265A second address: F92688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b jmp 00007FB8DCECAB45h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007FB8DCECAB36h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92688 second address: F9271D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 xor dword ptr [ebp+122D3461h], ecx 0x0000000e push 00000003h 0x00000010 sbb ecx, 3C627C90h 0x00000016 push 00000000h 0x00000018 mov esi, 473CEE16h 0x0000001d push 00000003h 0x0000001f mov esi, dword ptr [ebp+122D34EDh] 0x00000025 call 00007FB8DCFD96E9h 0x0000002a jc 00007FB8DCFD96EAh 0x00000030 push eax 0x00000031 jnp 00007FB8DCFD96F8h 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b pushad 0x0000003c jbe 00007FB8DCFD96F0h 0x00000042 jmp 00007FB8DCFD96F7h 0x00000047 popad 0x00000048 mov eax, dword ptr [eax] 0x0000004a pushad 0x0000004b jmp 00007FB8DCFD96EFh 0x00000050 pushad 0x00000051 push esi 0x00000052 pop esi 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9271D second address: F9275E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007FB8DCECAB3Fh 0x0000000f pop eax 0x00000010 adc si, 75FDh 0x00000015 lea ebx, dword ptr [ebp+12452284h] 0x0000001b or edi, 55E49CDAh 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FB8DCECAB43h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9284E second address: F9285D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9285D second address: F92861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92861 second address: F9286B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9286B second address: F928F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jno 00007FB8DCECAB4Dh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push edi 0x00000018 jp 00007FB8DCECAB38h 0x0000001e pop edi 0x0000001f pop eax 0x00000020 stc 0x00000021 push 00000003h 0x00000023 mov ch, dh 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007FB8DCECAB38h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov dword ptr [ebp+122D1FD7h], eax 0x00000047 push 00000003h 0x00000049 mov edx, dword ptr [ebp+122D2912h] 0x0000004f push ABDED147h 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FB8DCECAB40h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F928F5 second address: F928FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F928FE second address: F92931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 14212EB9h 0x0000000f jnc 00007FB8DCECAB42h 0x00000015 lea ebx, dword ptr [ebp+1245228Fh] 0x0000001b and edi, 0810D8ABh 0x00000021 push eax 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92931 second address: F92935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA530D second address: FA5312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB4173 second address: FB4177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB4177 second address: FB417D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB1FD4 second address: FB1FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jns 00007FB8DCFD96E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB212A second address: FB2141 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jng 00007FB8DCECAB36h 0x0000000d pop ebx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FB8DCECAB36h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB229B second address: FB22A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB22A1 second address: FB22AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB22AA second address: FB22B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8DCFD96E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB22B5 second address: FB22C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007FB8DCECAB36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB22C1 second address: FB22C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2556 second address: FB2573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB49h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2850 second address: FB287F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FB8DCFD96F1h 0x0000000b jmp 00007FB8DCFD96F0h 0x00000010 jng 00007FB8DCFD96E6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB287F second address: FB2884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB29B4 second address: FB29D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FB8DCFD96F2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB29D1 second address: FB29DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007FB8DCECAB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2CA5 second address: FB2CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2CA9 second address: FB2CB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2CB7 second address: FB2CC3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8DCFD96EEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2E2D second address: FB2E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2E31 second address: FB2E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FB8DCFD96E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2E47 second address: FB2E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2FF1 second address: FB2FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3158 second address: FB3167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007FB8DCECAB3Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3306 second address: FB330C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB330C second address: FB3313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3868 second address: FB3874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FB8DCFD96E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3B3C second address: FB3B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB4001 second address: FB4009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA9B5 second address: FBA9BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBAEFE second address: FBAF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9773 second address: FB9779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBB1A4 second address: FBB1AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB8DCFD96E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE1AB second address: FBE1B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE1B3 second address: FBE1B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFFE5 second address: FBFFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0338 second address: FC034E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007FB8DCFD96EAh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC034E second address: FC0358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB8DCECAB36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0436 second address: FC043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC07D5 second address: FC07E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FB8DCECAB3Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0C30 second address: FC0C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0F86 second address: FC0F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC1207 second address: FC1215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC1215 second address: FC122F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FB8DCECAB3Eh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3E95 second address: FC3EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3EA7 second address: FC3EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007FB8DCECAB36h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB8DCECAB3Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC546B second address: FC5471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5299 second address: FC529D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5471 second address: FC5476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5476 second address: FC548C instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8DCECAB38h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FB8DCECAB36h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC548C second address: FC5490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC5490 second address: FC54FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB8DCECAB38h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f nop 0x00000010 jmp 00007FB8DCECAB3Ch 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FB8DCECAB38h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 add di, 2BF3h 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a jbe 00007FB8DCECAB4Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC6D7B second address: FC6D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC6D7F second address: FC6D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FB8DCECAB3Eh 0x0000000e jo 00007FB8DCECAB36h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7DE8 second address: FC7DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB8DCFD96E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7DF2 second address: FC7E0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007FB8DCECAB3Bh 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7E0D second address: FC7E11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7E11 second address: FC7EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007FB8DCECAB3Fh 0x0000000d pushad 0x0000000e mov edi, dword ptr [ebp+122D33CEh] 0x00000014 mov dword ptr [ebp+122D1ED0h], esi 0x0000001a popad 0x0000001b pop esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FB8DCECAB38h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 pushad 0x00000039 mov ecx, dword ptr [ebp+122D36F9h] 0x0000003f popad 0x00000040 mov si, di 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007FB8DCECAB38h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f xchg eax, ebx 0x00000060 pushad 0x00000061 jng 00007FB8DCECAB45h 0x00000067 jmp 00007FB8DCECAB3Fh 0x0000006c push eax 0x0000006d push edx 0x0000006e jl 00007FB8DCECAB36h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7EAA second address: FC7EC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8DCFD96F0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD0FB second address: FCD0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD0FF second address: FCD11C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB8DCFD96F1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD11C second address: FCD121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCC0FC second address: FCC101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCC1F6 second address: FCC1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE1D9 second address: FCE1FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FB8DCFD96ECh 0x00000012 jnc 00007FB8DCFD96E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE1FF second address: FCE204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE204 second address: FCE22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b clc 0x0000000c or ebx, dword ptr [ebp+122D223Fh] 0x00000012 popad 0x00000013 push 00000000h 0x00000015 mov ebx, dword ptr [ebp+122D1F6Ah] 0x0000001b push 00000000h 0x0000001d mov ebx, dword ptr [ebp+124531B8h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE22E second address: FCE243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE243 second address: FCE24D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB8DCFD96E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCE24D second address: FCE251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCF29A second address: FCF2F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FB8DCFD96E8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 movzx ebx, si 0x0000002c push 00000000h 0x0000002e xchg eax, esi 0x0000002f jmp 00007FB8DCFD96F7h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 pushad 0x00000039 popad 0x0000003a pop eax 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0292 second address: FD0296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0296 second address: FD029A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0343 second address: FD0347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0347 second address: FD034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD034B second address: FD0354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD13B7 second address: FD13BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0507 second address: FD051F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8DCECAB38h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FB8DCECAB38h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD231A second address: FD231F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD231F second address: FD2325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD24C4 second address: FD24C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD24C8 second address: FD24E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007FB8DCECAB41h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6ABD second address: FD6AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6AC3 second address: FD6AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDAA42 second address: FDAA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6C55 second address: FD6CF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov dword ptr [ebp+122D1A1Fh], ecx 0x00000017 push edx 0x00000018 jnc 00007FB8DCECAB3Ch 0x0000001e pop edi 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 jmp 00007FB8DCECAB49h 0x0000002b mov eax, dword ptr [ebp+122D1241h] 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FB8DCECAB38h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b cmc 0x0000004c stc 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FB8DCECAB38h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 je 00007FB8DCECAB39h 0x0000006f mov bx, si 0x00000072 push eax 0x00000073 push ecx 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6CF1 second address: FD6CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6CF5 second address: FD6CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8C4A second address: FD8CDB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8DCFD96E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push edi 0x0000000d movzx ebx, cx 0x00000010 pop ebx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov bx, di 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FB8DCFD96E8h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c mov eax, dword ptr [ebp+122D0009h] 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007FB8DCFD96E8h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c mov ebx, dword ptr [ebp+122D3825h] 0x00000062 push FFFFFFFFh 0x00000064 nop 0x00000065 pushad 0x00000066 jng 00007FB8DCFD96F6h 0x0000006c jmp 00007FB8DCFD96F0h 0x00000071 push eax 0x00000072 push edx 0x00000073 jne 00007FB8DCFD96E6h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9BD2 second address: FD9BD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9BD8 second address: FD9BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9BDE second address: FD9BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDBC02 second address: FDBC06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE39E9 second address: FE39EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE39EF second address: FE39F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE39F3 second address: FE3A2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a jnp 00007FB8DCECAB4Eh 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FB8DCECAB46h 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FB8DCECAB3Bh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE3A2D second address: FE3A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7828B second address: F78291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78291 second address: F78295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE32BF second address: FE32C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE344A second address: FE3450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE358F second address: FE359E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB8DCECAB36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEAD28 second address: FEAD2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEC2C8 second address: FEC2CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEC2CE second address: FEC2EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EBh 0x00000007 jmp 00007FB8DCFD96EAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF123F second address: FF124A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF052E second address: FF0536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF09A3 second address: FF09B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8DCECAB3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1092 second address: FF1098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1098 second address: FF10A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8DCECAB55h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3EA5 second address: FF3EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79DC7 second address: F79DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79DCD second address: F79DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB8DCFD96E6h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79DDC second address: F79E13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FB8DCECAB3Dh 0x0000000c jp 00007FB8DCECAB36h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 je 00007FB8DCECAB36h 0x0000001e jmp 00007FB8DCECAB3Bh 0x00000023 popad 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79E13 second address: F79E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79E19 second address: F79E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F79E1E second address: F79E28 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8DCFD96ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF920C second address: FF922B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FB8DCECAB3Eh 0x0000000c jnp 00007FB8DCECAB36h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 jng 00007FB8DCECAB46h 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF922B second address: FF922F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF94DE second address: FF94FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FB8DCECAB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB8DCECAB44h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF94FE second address: FF9503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF97A8 second address: FF97AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8EB6 second address: FF8EBE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9BE9 second address: FF9BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9BEF second address: FF9C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCFD96F5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e ja 00007FB8DCFD96E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFEB6E second address: FFEB73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFEB73 second address: FFEB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFEB7B second address: FFEB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD9F8 second address: FFDA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFDA02 second address: FFDA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FB8DCECAB3Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFDA1E second address: FFDA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9170 second address: FC9174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9174 second address: FC917A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC958C second address: FC95C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 xor dword ptr [esp], 79D3F901h 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FB8DCECAB38h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 61103BD7h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC95C4 second address: FC95C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC95C8 second address: FC95CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC96C1 second address: FC96CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC96CD second address: FC96D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC96D1 second address: FC96D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC98B7 second address: FC98DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007FB8DCECAB40h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC99D4 second address: FC99D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9B1D second address: FC9B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9B23 second address: FC9B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8DCFD96F0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCA354 second address: FAAF8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007FB8DCECAB36h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FB8DCECAB38h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D23A7h], ecx 0x0000002d call dword ptr [ebp+122D1B6Eh] 0x00000033 je 00007FB8DCECAB4Eh 0x00000039 ja 00007FB8DCECAB3Ah 0x0000003f pushad 0x00000040 push ecx 0x00000041 pop ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFDE3F second address: FFDE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFDFD1 second address: FFDFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FB8DCECAB36h 0x00000016 jmp 00007FB8DCECAB3Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE57B second address: FFE57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE57F second address: FFE583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE583 second address: FFE594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007FB8DCFD96E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE594 second address: FFE5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB40h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8DCECAB41h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE5BE second address: FFE5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A842 second address: F8A874 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8DCECAB43h 0x00000012 jc 00007FB8DCECAB42h 0x00000018 jmp 00007FB8DCECAB3Ah 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1003DF1 second address: 1003DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FB8DCFD96F2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1003DFE second address: 1003E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB8DCECAB36h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FB8DCECAB46h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1003E23 second address: 1003E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8DCFD96E6h 0x0000000a jmp 00007FB8DCFD96F1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1003E40 second address: 1003E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FB8DCECAB3Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100431B second address: 100431F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100431F second address: 100432A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10045DC second address: 10045E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10045E1 second address: 10045F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FB8DCECAB36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1004731 second address: 1004737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1004737 second address: 100475B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FB8DCECAB36h 0x0000000d jmp 00007FB8DCECAB43h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10049F9 second address: 1004A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCFD96EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1004CB8 second address: 1004CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1008B23 second address: 1008B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A15B second address: 100A174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCECAB45h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100D256 second address: 100D25C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100D25C second address: 100D262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100CEBD second address: 100CEE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jng 00007FB8DCFD96E6h 0x00000010 pop ebx 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100CEE5 second address: 100CEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100CEE9 second address: 100CEFF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FB8DCFD96EEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100CEFF second address: 100CF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100CF04 second address: 100CF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F6FE second address: 100F720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8DCECAB48h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F720 second address: 100F72A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8DCFD96E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F72A second address: 100F741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F741 second address: 100F747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8738B second address: F873AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8DCECAB47h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F294 second address: 100F2A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB8DCFD96ECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100F2A6 second address: 100F2E0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8DCECAB36h 0x00000008 jmp 00007FB8DCECAB48h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB8DCECAB40h 0x00000016 jg 00007FB8DCECAB36h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10143A4 second address: 10143AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8DCFD96E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10143AF second address: 10143EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Bh 0x00000007 jc 00007FB8DCECAB3Ch 0x0000000d ja 00007FB8DCECAB36h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jnp 00007FB8DCECAB3Eh 0x0000001c jmp 00007FB8DCECAB41h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10143EE second address: 10143F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014513 second address: 1014534 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FB8DCECAB41h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014534 second address: 101454C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8DCFD96EEh 0x00000008 jnp 00007FB8DCFD96E6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FB8DCFD96E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1017A7F second address: 1017A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101DB95 second address: 101DBE1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB8DCFD96F2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB8DCFD96EDh 0x00000010 jl 00007FB8DCFD9704h 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C56C second address: 101C572 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C572 second address: 101C586 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8DCFD96ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101C73C second address: 101C760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8DCECAB44h 0x0000000f jl 00007FB8DCECAB36h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CA28 second address: 101CA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8DCFD96EFh 0x0000000d jnl 00007FB8DCFD96FEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CA5D second address: 101CA63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CA63 second address: 101CA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CA69 second address: 101CA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CBAB second address: 101CBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8DCFD96E6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB8DCFD96F9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CBD1 second address: 101CBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9D40 second address: FC9D45 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CCEA second address: 101CCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CE49 second address: 101CE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CE4D second address: 101CE59 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB8DCECAB36h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101CE59 second address: 101CE61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025D91 second address: 1025D9D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB8DCECAB3Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025D9D second address: 1025DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007FB8DCFD96E6h 0x0000000c js 00007FB8DCFD96E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025DAF second address: 1025DC6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jbe 00007FB8DCECAB36h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025DC6 second address: 1025DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025DCC second address: 1025DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8DCECAB36h 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FB8DCECAB46h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023E6A second address: 1023E70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023FAB second address: 1023FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023FB1 second address: 1023FC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8DCFD96EAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1023FC7 second address: 1023FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024480 second address: 102449E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007FB8DCFD96E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FB8DCFD96F2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102449E second address: 10244A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024F4B second address: 1024F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024F4F second address: 1024F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10254AB second address: 10254AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10254AF second address: 10254B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025774 second address: 1025779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025779 second address: 1025791 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jns 00007FB8DCECAB36h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 jbe 00007FB8DCECAB36h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025A82 second address: 1025A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB8DCFD96E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025A8C second address: 1025A90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025A90 second address: 1025A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1025A96 second address: 1025AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8DCECAB49h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FB8DCECAB48h 0x00000012 ja 00007FB8DCECAB3Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102DA00 second address: 102DA04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102DA04 second address: 102DA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102DB6D second address: 102DB78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FB8DCFD96E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102DB78 second address: 102DB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102E194 second address: 102E19A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102E19A second address: 102E1A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB8DCECAB36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102E5E1 second address: 102E5F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EAh 0x00000007 jno 00007FB8DCFD96E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102E5F5 second address: 102E603 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8DCECAB38h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102E603 second address: 102E632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8DCFD96F5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102E632 second address: 102E651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8DCECAB48h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1037FBA second address: 1037FC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103624C second address: 1036251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036251 second address: 1036257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036594 second address: 103659C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103659C second address: 10365A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10366FB second address: 10366FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10366FF second address: 1036705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036B4C second address: 1036B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007FB8DCECAB36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036B58 second address: 1036B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EFh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB8DCFD96F4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036B84 second address: 1036BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB41h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FB8DCECAB45h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1037015 second address: 103701C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10376D0 second address: 10376E2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jnc 00007FB8DCECAB36h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10376E2 second address: 10376F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1037E5C second address: 1037E62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103D68C second address: 103D692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103D861 second address: 103D875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8DCECAB36h 0x0000000a jbe 00007FB8DCECAB36h 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103D9CC second address: 103D9D9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8DCFD96E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1048BC4 second address: 1048BEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB48h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FB8DCECAB36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1048BEA second address: 1048BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1048793 second address: 1048798 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10488FE second address: 1048902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104E4B9 second address: 104E4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104E4C0 second address: 104E4D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB8DCFD96F3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1053DDD second address: 1053DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105DFED second address: 105DFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105DFF3 second address: 105DFF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106334C second address: 1063378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FB8DCFD96ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FB8DCFD96E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10631D9 second address: 10631DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10631DF second address: 10631F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8DCFD96F4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10684DD second address: 106851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB45h 0x00000009 jbe 00007FB8DCECAB36h 0x0000000f popad 0x00000010 jmp 00007FB8DCECAB43h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007FB8DCECAB36h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106851C second address: 1068520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1068520 second address: 106853C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8DCECAB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FB8DCECAB36h 0x00000013 je 00007FB8DCECAB36h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106853C second address: 1068569 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96EBh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8DCFD96EAh 0x0000000e jmp 00007FB8DCFD96F4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10686D7 second address: 10686ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FB8DCECAB40h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1068D93 second address: 1068D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106D168 second address: 106D199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB48h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jo 00007FB8DCECAB38h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 js 00007FB8DCECAB44h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106D199 second address: 106D19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B1EF second address: 107B1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007FB8DCECAB36h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B1FC second address: 107B209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FB8DCFD96E6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B209 second address: 107B21A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Ch 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B07A second address: 107B098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8DCFD96F7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B098 second address: 107B0A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B0A1 second address: 107B0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FB8DCFD96E6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107B0B4 second address: 107B0B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1079A35 second address: 1079A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B652 second address: 108B695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB49h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8DCECAB49h 0x0000000e jmp 00007FB8DCECAB3Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B1B5 second address: 108B1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B1BB second address: 108B1BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4B14 second address: 10A4B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4B18 second address: 10A4B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A4C7E second address: 10A4C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCFD96EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A78EB second address: 10A7902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCECAB42h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A7C08 second address: 10A7C4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCFD96F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push ebx 0x0000000c ja 00007FB8DCFD96F6h 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 pushad 0x00000019 ja 00007FB8DCFD96E6h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 popad 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AADB0 second address: 10AADED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8DCECAB36h 0x0000000a popad 0x0000000b jnc 00007FB8DCECAB5Ah 0x00000011 jp 00007FB8DCECAB3Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AA959 second address: 10AA963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB8DCFD96E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AA963 second address: 10AA998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007FB8DCECAB4Bh 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FB8DCECAB43h 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007FB8DCECAB36h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380C24 second address: 5380C2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380C2A second address: 5380CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCECAB49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b pushad 0x0000000c mov cx, FB13h 0x00000010 mov edi, eax 0x00000012 popad 0x00000013 jns 00007FB8DCECAB57h 0x00000019 pushad 0x0000001a mov ebx, ecx 0x0000001c mov esi, 72BCCF03h 0x00000021 popad 0x00000022 add eax, ecx 0x00000024 jmp 00007FB8DCECAB46h 0x00000029 mov eax, dword ptr [eax+00000860h] 0x0000002f pushad 0x00000030 pushad 0x00000031 call 00007FB8DCECAB48h 0x00000036 pop esi 0x00000037 movsx edi, cx 0x0000003a popad 0x0000003b popad 0x0000003c test eax, eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380CA6 second address: 5380CAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380CAA second address: 5380CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC2F44 second address: FC2F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC2F4A second address: FC2F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E13887 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FB996E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E113A6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 103FC7A instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7812

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1476673720.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1476673720.000000000181C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.000000000181C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: file.exe, 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00DF5BB0 LdrInitializeThunk,

0_2_00DF5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
sergei-esenin.com	11%	Virustotal	Browse
spirittunek.store	14%	Virustotal	Browse
eaglepawnoy.store	18%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse
mobbipenju.store	14%	Virustotal	Browse
dissapoiznw.store	14%	Virustotal	Browse
bathdoomgaz.store	14%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
sergei-esenin.com	172.67.206.204	true	true	11%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	false	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
licendfilteo.site	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spirittunek.store/api=k	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://clearancek.site/api	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dissapoiznw.store/api	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/s	file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://studennotediw.store/api	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://bathdoomgaz.store/api	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiUk	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/3	file.exe, 00000000.00000003.1462605489.000000000184B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://licendfilteo.site/api	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/mk(F	file.exe, 00000000.00000002.1476673720.0000000001837000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000002.1476673720.000000000184B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476862751.0000000001894000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1476673720.00000000017F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.00000000017F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.1462554033.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462605489.0000000001837000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.206.204	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528567
Start date and time:	2024-10-08 02:09:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:10:06	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
172.67.206.204	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	CatalogApp.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
steamcommunity.com	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	172.67.159.186
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	104.21.9.92
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	104.21.9.92
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	172.67.159.186
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	https://Vv.ndlevesio.com/vrbU/	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	x2Yi9Hr77a.exe	Get hash	malicious	XWorm	Browse	172.67.75.40
	Audio_Msg..00293614554893Transcript.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	Xmrig	Browse	104.21.80.31
AKAMAI-ASUS	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254 172.67.206.204
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9495979478449845
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'856'512 bytes
MD5:	30f95ad37ec36dbf01a9d0e27d1235a4
SHA1:	f5b3002885d3f29a2d4517dc842728127db3acc8
SHA256:	2d183e51ffc471e6ffd01a38d5c5935c9d723e61ec3d44b7ddf72a52e87a53b2
SHA512:	92dc0f11589245473b419aac82583488e269ca9a9ed434453f788eb0b5c763b89c4f6637d811a6e490fff0a553bdbef581ff8f2fd48b6ea39b6eb285d3430d63
SSDEEP:	49152:i5C89fKHOWJgKlVexMzDKuppt33GJgawyVCLW:i5r3WJgNxMzDKOJGeRnL
TLSH:	7E85333CA127FD62D78B897BCA607F3459779F0C66CFFD5833A62530982B88A0105DA5
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f.............................0J...........@..........................`J.....6.....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FB8DCD61FFAh
rdmsr
sbb al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FB8DCD63FF5h
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-4Dh], ah
adc dl, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	398bf1d04c63e59408377b4f1310863c	False	0.9995874587458746	data	7.983406795783042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2a6000	0x200	970a0bd0ff9a5212067261fafc7424f8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xmuksiop	0x306000	0x19c000	0x19bc00	f8494c7cc614c3d5224d62e6e15cdfdb	False	0.9941815374544627	data	7.953920296605131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qbjqiedn	0x4a2000	0x1000	0x400	94e068f24cf2a983b7fc5cc95b1b8847	False	0.7802734375	data	6.103493973289862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a3000	0x3000	0x2200	f1f338ec070b8fdf4c1674f0d684d499	False	0.06318933823529412	DOS executable (COM)	0.7272366384619429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T02:10:06.999657+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.8	52854	1.1.1.1	53	UDP
2024-10-08T02:10:07.028262+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.8	51187	1.1.1.1	53	UDP
2024-10-08T02:10:07.047353+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.8	59347	1.1.1.1	53	UDP
2024-10-08T02:10:07.058225+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.8	61450	1.1.1.1	53	UDP
2024-10-08T02:10:07.068467+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.8	55774	1.1.1.1	53	UDP
2024-10-08T02:10:07.086419+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.8	59873	1.1.1.1	53	UDP
2024-10-08T02:10:07.097101+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.8	52665	1.1.1.1	53	UDP
2024-10-08T02:10:07.107623+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.8	55909	1.1.1.1	53	UDP
2024-10-08T02:10:10.038599+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49707	172.67.206.204	443	TCP
2024-10-08T02:10:10.038599+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49707	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 02:10:07.137610912 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.137681007 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:07.137764931 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.141047955 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.141074896 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:07.817322016 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:07.817403078 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.820410013 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.820427895 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:07.820782900 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:07.870819092 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.872868061 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:07.919405937 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337317944 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337383986 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337415934 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.337429047 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337450981 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337451935 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.337471008 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.337481022 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337498903 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.337512016 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.337524891 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.337539911 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.445652962 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.445714951 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.445828915 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.445849895 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.445878029 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.445895910 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.450469971 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.450556993 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.450572968 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.450620890 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.450627089 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.450728893 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.450777054 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.451658964 CEST	49706	443	192.168.2.8	104.102.49.254
Oct 8, 2024 02:10:08.451677084 CEST	443	49706	104.102.49.254	192.168.2.8
Oct 8, 2024 02:10:08.467267990 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:08.467336893 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:08.467426062 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:08.467757940 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:08.467776060 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:09.576550961 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:09.576630116 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:09.579282999 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:09.579294920 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:09.579721928 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:09.580796957 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:09.580816031 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:09.580909014 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:10.038645983 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:10.038882017 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:10.038964033 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:10.039134979 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:10.039154053 CEST	443	49707	172.67.206.204	192.168.2.8
Oct 8, 2024 02:10:10.039164066 CEST	49707	443	192.168.2.8	172.67.206.204
Oct 8, 2024 02:10:10.039169073 CEST	443	49707	172.67.206.204	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 02:10:06.999656916 CEST	52854	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.024295092 CEST	53	52854	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.028261900 CEST	51187	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.045337915 CEST	53	51187	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.047353029 CEST	59347	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.056180000 CEST	53	59347	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.058224916 CEST	61450	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.066514969 CEST	53	61450	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.068466902 CEST	55774	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.084486008 CEST	53	55774	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.086419106 CEST	59873	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.095155001 CEST	53	59873	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.097100973 CEST	52665	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.105674028 CEST	53	52665	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.107623100 CEST	55909	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.121649027 CEST	53	55909	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:07.125468016 CEST	60870	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:07.133128881 CEST	53	60870	1.1.1.1	192.168.2.8
Oct 8, 2024 02:10:08.454139948 CEST	53142	53	192.168.2.8	1.1.1.1
Oct 8, 2024 02:10:08.466428995 CEST	53	53142	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 02:10:06.999656916 CEST	192.168.2.8	1.1.1.1	0xecab	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.028261900 CEST	192.168.2.8	1.1.1.1	0xeabc	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.047353029 CEST	192.168.2.8	1.1.1.1	0xb57	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.058224916 CEST	192.168.2.8	1.1.1.1	0xe44d	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.068466902 CEST	192.168.2.8	1.1.1.1	0xc0f6	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.086419106 CEST	192.168.2.8	1.1.1.1	0x3a57	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.097100973 CEST	192.168.2.8	1.1.1.1	0x37f1	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.107623100 CEST	192.168.2.8	1.1.1.1	0x9dde	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.125468016 CEST	192.168.2.8	1.1.1.1	0x51f0	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:08.454139948 CEST	192.168.2.8	1.1.1.1	0x8b59	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 02:10:07.024295092 CEST	1.1.1.1	192.168.2.8	0xecab	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.045337915 CEST	1.1.1.1	192.168.2.8	0xeabc	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.056180000 CEST	1.1.1.1	192.168.2.8	0xb57	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.066514969 CEST	1.1.1.1	192.168.2.8	0xe44d	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.084486008 CEST	1.1.1.1	192.168.2.8	0xc0f6	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.095155001 CEST	1.1.1.1	192.168.2.8	0x3a57	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.105674028 CEST	1.1.1.1	192.168.2.8	0x37f1	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.121649027 CEST	1.1.1.1	192.168.2.8	0x9dde	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:07.133128881 CEST	1.1.1.1	192.168.2.8	0x51f0	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:08.466428995 CEST	1.1.1.1	192.168.2.8	0x8b59	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:10:08.466428995 CEST	1.1.1.1	192.168.2.8	0x8b59	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	104.102.49.254	443	7620	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 00:10:07 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 00:10:08 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 00:10:08 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=2226c37890e55370d5c14c76; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 00:10:08 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 00:10:08 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-08 00:10:08 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-08 00:10:08 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	172.67.206.204	443	7620	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 00:10:09 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-08 00:10:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-08 00:10:10 UTC	784	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 00:10:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k2jegp432f4el2akqfn83ah0ch; expires=Fri, 31 Jan 2025 17:56:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7P9YvDO%2FfZACJo0mc7%2BKKJTYu7qUUfaI9X20QQQVAlG%2Bt44EYAw85houF7uz4qfMdybGyLKbljJQ4s5EQVzP5O7%2FTUKybaTda8TO%2Bbs9s0%2Bpj3UdsL7VZOP1zf%2BooFCpIR%2Bt0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf1e802796b421f-EWR
2024-10-08 00:10:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-08 00:10:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	20:10:04
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xdb0000
File size:	1'856'512 bytes
MD5 hash:	30F95AD37EC36DBF01A9D0E27D1235A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	78.4%
Total number of Nodes:	37
Total number of Limit Nodes:	4

Executed Functions

Function 00DBFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VY^_, xrefs: 00DBFDFF
t, xrefs: 00DBFCBE
V, xrefs: 00DBFEDC
J|BJ, xrefs: 00DC000D

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 3343d73ff6118a66ae9177c62b274e31bb603ac87a02345ecb404c2d9ea75419
Instruction ID: bff77bfef148140dbbd0837035f7ca8e5d11a1ea8578f731f1133556f15200a6
Opcode Fuzzy Hash: 3343d73ff6118a66ae9177c62b274e31bb603ac87a02345ecb404c2d9ea75419
Instruction Fuzzy Hash: C6D155B45083819BD311DF189894B6FBFE1AF96B44F18881CF4C99B252C336CD49DBA2

Function 00DBD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00DBD2F1

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: dc2b55bd212ec46920fc8895fe7ac0c656e218162338fd8a41312d4852d9767d
Instruction ID: e58084d6553dff5f7125e8d8c40204349163f29836a7c5d8143c40abf2d403aa
Opcode Fuzzy Hash: dc2b55bd212ec46920fc8895fe7ac0c656e218162338fd8a41312d4852d9767d
Instruction Fuzzy Hash: 2F412570409380ABC601BB68D685A2EFBF6EF92744F588C1CE5C597212E336D8149B7B

Function 00DF5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00DF5784

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ef187f0b79027a3840883a5e4d723487423be1b91484c4d6f003c91cad368361
Instruction ID: c2ce0eb996de0a559c0749ad7fb321e8e33af1d12fb5314888a463d769f2a9d4
Opcode Fuzzy Hash: ef187f0b79027a3840883a5e4d723487423be1b91484c4d6f003c91cad368361
Instruction Fuzzy Hash: 7F11A37151C640EBC701AF29F840A2BBBF5DF96710F068828E6C49B215D336D855CBA3

Function 00DF5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00DF973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00DF5BDE

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00DF695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00DF69C5

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: aa3c9fea93bf5b27725b95134da7e6553841e1ba85d7c8e8e599254014f5e36c
Instruction ID: 02b9b94d3e155d16062bee7ae02b1db49573a6f96f70378425b71657bd7b9d43
Opcode Fuzzy Hash: aa3c9fea93bf5b27725b95134da7e6553841e1ba85d7c8e8e599254014f5e36c
Instruction Fuzzy Hash: 3031A5B15083059FD708DF28C8A063BB7E2EF84344F48D81CE6C6A72A1E375D948CB66

Function 00DC049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a63c98b69e468969f711634eb4a61a907acd6f6227015831c5d5214800f166
Instruction ID: 662a331c650d6285b1f8ec312b820b061fb987557984c38157b6d5c383ca028f
Opcode Fuzzy Hash: 92a63c98b69e468969f711634eb4a61a907acd6f6227015831c5d5214800f166
Instruction Fuzzy Hash: C4917A75200701DFD724CF25E890B26B7F6FF89310B158A6CE996CBAA1DB31E815CB60

Function 00DC0228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d153aaecf00f6396be3d0e3e9ea52d9ab7e8f1064b2a5d92aeeb1ae56abdd5d
Instruction ID: ae81a4afc8f5a715ec240fa23adb4bf258cd278fded1f488222e24a7bae19a37
Opcode Fuzzy Hash: 7d153aaecf00f6396be3d0e3e9ea52d9ab7e8f1064b2a5d92aeeb1ae56abdd5d
Instruction Fuzzy Hash: 15715875200701DFD7248F21E894B26BBB6FF49315F14C96CE996CB6A2CB31E819CB60

Function 00DF99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edd8533c34788353ad7280da9726ec6125a045ceb7972ba72bb7ace15aadddc
Instruction ID: c5a59b91d767ac88fd5991c45d600419fec486561fc75a04e7a8b748972bb54c
Opcode Fuzzy Hash: 5edd8533c34788353ad7280da9726ec6125a045ceb7972ba72bb7ace15aadddc
Instruction Fuzzy Hash: 68418E35A08304AFDB149A19E8A0B3BF7E5EB85714F19C82CF68997251D331E851DB72

Function 00DF63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: adefaafb86387bd0fff3a6c5320015cded800cb64426fb43682f02496d0cf94f
Instruction ID: 8de9b5eb60816823d643511eddbb89f9480201ad19e24c5fa8acc5d1dd72d614
Opcode Fuzzy Hash: adefaafb86387bd0fff3a6c5320015cded800cb64426fb43682f02496d0cf94f
Instruction Fuzzy Hash: D131E370249305BEDA24DB05CD81F3BB7E5EB80B10F698908F3816A2D1D371E8549B62

Function 00DC0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b294348e76ccc3610415c379c9e46a99364b0bafb5770a59afa113b27282fe
Instruction ID: 98eb72ab3e7a58d0631d8ad5885ae4ddd469089f38d996be5ebc5963958a4660
Opcode Fuzzy Hash: b9b294348e76ccc3610415c379c9e46a99364b0bafb5770a59afa113b27282fe
Instruction Fuzzy Hash: F72114B490021A9FEB15CF94CC90FBEBBB2FF4A304F144848E911BB292C735A951CB64

Function 00DF3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00DF32A6

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 87029c8d39dbdac6c78dcdf5f5d20ddb6e546bb592827d9d98c54811423f6508
Instruction ID: 6fb2705ab9ab3299939195bfe126216aefe6103cc1a85531e4a9394a84908dc4
Opcode Fuzzy Hash: 87029c8d39dbdac6c78dcdf5f5d20ddb6e546bb592827d9d98c54811423f6508
Instruction Fuzzy Hash: 0E014F3450D2409FC701AB18E885A1ABBE8EF46700F06891CE5C59B361D335DD64CB66

Function 00DF3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00DF3208

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ec2525a0c06067e1c6bbd0df3281a034d93c1fd1eb68e75880246845ac94320e
Instruction ID: aeec9549ca416cb1aad0bc2fa7602579c57ed420538f6b265cc2624532527bef
Opcode Fuzzy Hash: ec2525a0c06067e1c6bbd0df3281a034d93c1fd1eb68e75880246845ac94320e
Instruction Fuzzy Hash: 63B012300400005FDA041B00EC0AF003510EB00605F840050B100140B1D16258B8C655

Non-executed Functions

Function 00DE23E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

aenQ, xrefs: 00DE276A
|}&C, xrefs: 00DE2F21
mlc@, xrefs: 00DE275C
Cx, xrefs: 00DE453D
`tii, xrefs: 00DE2693
f@~!, xrefs: 00DE25FF
%*+(, xrefs: 00DE40EF
Wu, xrefs: 00DE344B, 00DE4861
3<, xrefs: 00DE32D6
fedc, xrefs: 00DE2782
ggxz, xrefs: 00DE2685
:, xrefs: 00DE32DD
{l`~, xrefs: 00DE268C

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$Wu
API String ID: 0-1419478863
Opcode ID: 713c6627dabc63b396ba09bb67b0122127e8efab901a8cdeaf1b26ed0c1ba22b
Instruction ID: a0ec083ceed4a7b810d7e73a48b7cc1abc9892f55599936cfd9924587d2d6507
Opcode Fuzzy Hash: 713c6627dabc63b396ba09bb67b0122127e8efab901a8cdeaf1b26ed0c1ba22b
Instruction Fuzzy Hash: 0733CD70504B818FD7259F3AC590762BBE1FF16304F58899DE4DA8B792C736E806CBA1

Function 00DCDB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

D, xrefs: 00DCE846
DCBA, xrefs: 00DCE887, 00DCE896
:WUE, xrefs: 00DCF6B7, 00DCF6C6
WP, xrefs: 00DCDCEF
T, xrefs: 00DCF157
mjkh, xrefs: 00DCE7D8
@ONM, xrefs: 00DCE6DB
()./, xrefs: 00DCE9CA
`onm, xrefs: 00DCE733
tuJK, xrefs: 00DCE967
`Y^_, xrefs: 00DCE99E
dcba, xrefs: 00DCE728
|, xrefs: 00DCECB1
tsrq, xrefs: 00DCE6FC
LKJI, xrefs: 00DCE6E6
xgfe, xrefs: 00DCE71D
<=:;, xrefs: 00DCE930
lkji, xrefs: 00DCE73E
89&', xrefs: 00DCE93B
%*+(, xrefs: 00DCDE37, 00DCDE46
QNOL, xrefs: 00DCE775
<=2, xrefs: 00DCEA01
89>?, xrefs: 00DCE9F6
AR, xrefs: 00DCDD10

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: fd8eb8af963b4cd6597c6c1cd41687bc493863fa75d3dba8107662ed2ce5dab8
Instruction ID: 4be5823df040c41c1dd99041d82c48f467ad05d298c837091e1d525dcae3ed8e
Opcode Fuzzy Hash: fd8eb8af963b4cd6597c6c1cd41687bc493863fa75d3dba8107662ed2ce5dab8
Instruction Fuzzy Hash: 55F267B15083829BD770CF14C884BABBBE6FFD5304F18482DE5C99B291D7719985CBA2

Function 00DD9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

/), xrefs: 00DDA66D
hi, xrefs: 00DDAB9D
?m,o, xrefs: 00DDA13C
(a*c, xrefs: 00DDA147
_Y, xrefs: 00DDA641
WQ, xrefs: 00DDA62B
=], xrefs: 00DDA36A
sm, xrefs: 00DDA830
WH, xrefs: 00DDAA1C
JG, xrefs: 00DDAA27
%e6g, xrefs: 00DDA152
Gt, xrefs: 00DD9FF8
N[, xrefs: 00DDA375
kW, xrefs: 00DDA380
CG, xrefs: 00DDAA32
S], xrefs: 00DDA636
]{, xrefs: 00DDA1E7, 00DDA1F3

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 98488dcffa92d910c48bdca883f74eef4ff60e067457bcdcca39c63541ad98e5
Instruction ID: 065ceba6e1f069530833a788b9987bd7b2d16f4764fe62ff51b3dd9a7f25379f
Opcode Fuzzy Hash: 98488dcffa92d910c48bdca883f74eef4ff60e067457bcdcca39c63541ad98e5
Instruction Fuzzy Hash: F852B7B444D385CAE270CF25D581B8EBAF1BB92740F609A1EE1ED5B255DB708045CFA3

Function 00DD9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

X/R), xrefs: 00DD9AEB
T#a-, xrefs: 00DD9AE3
?M0K, xrefs: 00DD9968
B?Q9, xrefs: 00DD9B0B
2A"_, xrefs: 00DD9980
L3Y=, xrefs: 00DD9B03
B7U1, xrefs: 00DD9AFB
G'M!, xrefs: 00DD9ADB
O+f), xrefs: 00DD9634, 00DD963D
G+X5, xrefs: 00DD9AF3
,A&C, xrefs: 00DD982E
!E4G, xrefs: 00DD9836
pq, xrefs: 00DD99E0
8;, xrefs: 00DD9B13
z=Q?, xrefs: 00DD9826
;IJK, xrefs: 00DD983E

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: dab573aba3cad73b37abb9570f8083ce36bbcf5cd5d3ffc837652d032824fa20
Instruction ID: 8947e1f7fd8dd1bbc739999cac472593e505daa4df8d23d8a8558a6b21551485
Opcode Fuzzy Hash: dab573aba3cad73b37abb9570f8083ce36bbcf5cd5d3ffc837652d032824fa20
Instruction Fuzzy Hash: F3F12CB0508380ABD310DF19D891A2BBBF4FB86B48F04491EF4D99B352D375D908DBA6

Function 00F78C0B Relevance: 15.0, Strings: 11, Instructions: 1237COMMON

Download Yara Rule

Strings

7$ws, xrefs: 00F7993B
r*_, xrefs: 00F7939A
6Fzo, xrefs: 00F78EFE
D', xrefs: 00F791B2
Bm5, xrefs: 00F79AAD
dV[@, xrefs: 00F79138
B)?, xrefs: 00F790A7
/., xrefs: 00F7983B
tD}o, xrefs: 00F79374
Lds|, xrefs: 00F798CC, 00F7996D, 00F79990, 00F799C2, 00F799C6
_w?, xrefs: 00F7976D

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: D'$/.$6Fzo$7$ws$B)?$Lds|$_w?$dV[@$r*_$tD}o$Bm5
API String ID: 0-3694557691
Opcode ID: 6cb780aba2e558be6660fe0547cfb2517be62f3428f28d2fb9b716a3fd436027
Instruction ID: 0917651741462a781f18703664aca6319820411c66205ed5b4b9da530a5110b6
Opcode Fuzzy Hash: 6cb780aba2e558be6660fe0547cfb2517be62f3428f28d2fb9b716a3fd436027
Instruction Fuzzy Hash: AB82F4F3A0C2009FD314AE29EC8567AFBE5EF94720F16492DEAC4C7744EA3558418B97

Function 00DDDD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

,Q?S, xrefs: 00DDE26F
hX]N, xrefs: 00DDDDC7
-M2O, xrefs: 00DDE25A
{E, xrefs: 00DDE323
=]+_, xrefs: 00DDE276
)IgK, xrefs: 00DDE261
Y9N;, xrefs: 00DDE245
n\+H, xrefs: 00DDDDC0
%*+(, xrefs: 00DDE143
<Y.[, xrefs: 00DDE27D
upH}, xrefs: 00DDDE8A, 00DDE798, 00DDDF4A

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: d18bd63797b355d63bbb026361857da3cf29852b62cb6ca9a4a4df7aef22c2da
Instruction ID: 1fbf180434cdf08279bbe8d45021b4a2ea575b9baec1a4ea35050aec771fb285
Opcode Fuzzy Hash: d18bd63797b355d63bbb026361857da3cf29852b62cb6ca9a4a4df7aef22c2da
Instruction Fuzzy Hash: 9C920271E00205CFDB18CF69D8816AEBBB2FF49310F298169E456AB391D731AD45CBA0

Function 00F7D823 Relevance: 14.1, Strings: 10, Instructions: 1566COMMON

Download Yara Rule

Strings

al}Z, xrefs: 00F7DBBC
(L4w, xrefs: 00F7DD2B
Wkvw, xrefs: 00F7E4CC
b72, xrefs: 00F7E9AC
Ed, xrefs: 00F7E32D
4F?, xrefs: 00F7D937
0F#, xrefs: 00F7DC65
'L4w, xrefs: 00F7DD30
*?, xrefs: 00F7D988
2'oA, xrefs: 00F7EACA

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 'L4w$(L4w$0F#$2'oA$4F?$Ed$Wkvw$al}Z$b72$*?
API String ID: 0-2454878617
Opcode ID: ae2621fb22d4f06de8a1232b5ab902e1cb4c581252cd3bf4598878205a7e1dd0
Instruction ID: 6749f8897609bdc508286279568b1f456a7812e78452b218fe402990807ada00
Opcode Fuzzy Hash: ae2621fb22d4f06de8a1232b5ab902e1cb4c581252cd3bf4598878205a7e1dd0
Instruction Fuzzy Hash: CFB2D3B360C2009FE304AE29EC8567ABBE5EF94720F16893DEAC5C7344E63558518B97

Function 00F76C03 Relevance: 12.9, Strings: 9, Instructions: 1618COMMON

Download Yara Rule

Strings

@zO?, xrefs: 00F77CA0
8G7], xrefs: 00F77ECF
@Tv~, xrefs: 00F77DAE
J+^o, xrefs: 00F77F94
/~, xrefs: 00F77148
<c', xrefs: 00F77E39
hU, xrefs: 00F7738A
Is3, xrefs: 00F77110
a_^w, xrefs: 00F77740

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 8G7]$<c'$@Tv~$@zO?$Is3$J+^o$a_^w$/~$hU
API String ID: 0-44407058
Opcode ID: 135cf64fe51c71e961cb6bf1fdb52e72497507e534a8a04faaa1ad56246087f1
Instruction ID: da9446b139d4985d2bd0b59548998eb6ff4c4528386f17ab5f80d0f36a4b82d7
Opcode Fuzzy Hash: 135cf64fe51c71e961cb6bf1fdb52e72497507e534a8a04faaa1ad56246087f1
Instruction Fuzzy Hash: FBB206F3A0C2009FE3086E2DEC8567AFBE9EF94720F1A493DE6C583744E63558458697

Function 00F8AD03 Relevance: 11.7, Strings: 8, Instructions: 1703COMMON

Download Yara Rule

Strings

1#t|, xrefs: 00F8AEDB
6Jw, xrefs: 00F8B33B
"Fl, xrefs: 00F8BBE8
x[, xrefs: 00F8B7B8
/z, xrefs: 00F8B163
|+O, xrefs: 00F8BF97
zgV, xrefs: 00F8B9D1
zgV, xrefs: 00F8B9BC

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: /z$1#t|$6Jw$x[$zgV$zgV$|+O$"Fl
API String ID: 0-3712698082
Opcode ID: a01504e2e50b95d0c3e1df8fe4df6110158cbbcce3564b01f1ef3314597a4b77
Instruction ID: 80d4017f5a5806a44c667ad6a06e1f796fdf90f4d0b3a25ee7dc52dc0cff6ffa
Opcode Fuzzy Hash: a01504e2e50b95d0c3e1df8fe4df6110158cbbcce3564b01f1ef3314597a4b77
Instruction Fuzzy Hash: 96B21BF3A082049FE304AE3DEC8577ABBE5EF94720F16493DE5C4C7744E63598458692

Function 00F877F9 Relevance: 11.6, Strings: 8, Instructions: 1645COMMON

Download Yara Rule

Strings

+evw, xrefs: 00F886CB
3w^w, xrefs: 00F88356
9s9, xrefs: 00F8791D
aI|, xrefs: 00F87BA2
@km, xrefs: 00F8854F
/LeZ, xrefs: 00F87B74
$\}, xrefs: 00F88717
VNC, xrefs: 00F88247

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: +evw$/LeZ$3w^w$@km$VNC$aI|$$\}$9s9
API String ID: 0-3671689836
Opcode ID: 04e8a09fc680fa479ee22092176ee1699ed6cbdd0b8b6c0fab04ca94ab80b243
Instruction ID: 1522a0ed6d6a723fc397eec9d83183eedd8789ce3a38cf7953f8afd9e6c80879
Opcode Fuzzy Hash: 04e8a09fc680fa479ee22092176ee1699ed6cbdd0b8b6c0fab04ca94ab80b243
Instruction Fuzzy Hash: FCB216F360C2149FE304AE2DEC8567ABBE9EF94720F1A493DEAC4C7744E63558018697

Function 00DD098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

,#15, xrefs: 00DD0F94
&> &, xrefs: 00DD0F89
%*+(, xrefs: 00DD0A77, 00DD0A86
gce/, xrefs: 00DD1073
cah`, xrefs: 00DD107E
{, xrefs: 00DD1502
9.5^, xrefs: 00DD0F9F
qrqp, xrefs: 00DD1089

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: d06cfe3901df36c72351a48ad631f65bbf21d003cd6391c5441d1a3e71202b74
Instruction ID: eb8fb1298ed38cda463a3e9a90ecf13943f5ec4d96aa96ee7eab1c6d6a08b349
Opcode Fuzzy Hash: d06cfe3901df36c72351a48ad631f65bbf21d003cd6391c5441d1a3e71202b74
Instruction Fuzzy Hash: 556267B56083818BD730CF14D895BABBBE1FB96314F08492EE49A8B741E3759944CB63

Function 00DB1000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00DB22E1
0123456789ABCDEFXP, xrefs: 00DB157D, 00DB15EB
-, xrefs: 00DB21ED
gfff, xrefs: 00DB2297
gfff, xrefs: 00DB2226
@, xrefs: 00DB2C40
0123456789abcdefxp, xrefs: 00DB1587, 00DB15F8

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 08c721fde58a067e5a64ca6322b3ac30cc9a8f523693eebc81b5364e249f9ac4
Instruction ID: 7d1008636ec16938c46642a20f1b6a97a4962ee5fbdda45b138346cb17488328
Opcode Fuzzy Hash: 08c721fde58a067e5a64ca6322b3ac30cc9a8f523693eebc81b5364e249f9ac4
Instruction Fuzzy Hash: A9D2F476608341CFD718CE29C4943AABBE2AFD5314F188A2DE4DAC7391D734D945CBA2

Function 00F7BCF9 Relevance: 10.4, Strings: 7, Instructions: 1624COMMON

Download Yara Rule

Strings

v]"7, xrefs: 00F7C988
QqO, xrefs: 00F7C851
k@;_, xrefs: 00F7C386
:2Hy, xrefs: 00F7CB96
:2Hy, xrefs: 00F7CBC7
AKVo, xrefs: 00F7C991
fq}, xrefs: 00F7CC42

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: :2Hy$:2Hy$AKVo$QqO$fq}$k@;_$v]"7
API String ID: 0-3261915520
Opcode ID: 9a136de6d7e2a5e6db2134d6c3e71ad6208ebfa50891959c2059dee9ea19cdf9
Instruction ID: 65ae8e3743e536147696a76ec1aef1043a82d3a953eefe25c9fcfe46a9218aa5
Opcode Fuzzy Hash: 9a136de6d7e2a5e6db2134d6c3e71ad6208ebfa50891959c2059dee9ea19cdf9
Instruction Fuzzy Hash: 03B2E3F3A0C7049FD304AE2DEC8566AFBE9EB94720F16893DEAC4C3744E63558418697

Function 00F80D00 Relevance: 9.1, Strings: 6, Instructions: 1631COMMON

Download Yara Rule

Strings

qS<w, xrefs: 00F81CAC
Ao~q, xrefs: 00F81344
q-_w, xrefs: 00F81CA6
x^;, xrefs: 00F81F34
=O?, xrefs: 00F81936
LZ5^, xrefs: 00F81C8B

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: Ao~q$LZ5^$q-_w$qS<w$x^;$=O?
API String ID: 0-1387608114
Opcode ID: 204454f1a9709a875b176c0f15874b3edee4a18625b75232f920d8f95ad3f409
Instruction ID: 0e5de78c8d131d73575f9cc26b9ae755c8d47da1a83192e2099c19c1238fb90f
Opcode Fuzzy Hash: 204454f1a9709a875b176c0f15874b3edee4a18625b75232f920d8f95ad3f409
Instruction Fuzzy Hash: 25B208F360C2049FE3046E2DEC8567ABBE9EF94720F16493DEAC4C7744EA3598058697

Function 00F7A337 Relevance: 9.1, Strings: 6, Instructions: 1582COMMON

Download Yara Rule

Strings

=gd, xrefs: 00F7AE46
&$_;, xrefs: 00F7A9AC
6#v?, xrefs: 00F7ADBE
6#v?, xrefs: 00F7ADB3
Fn[, xrefs: 00F7A622
1m_;, xrefs: 00F7AF0B

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: Fn[$&$_;$1m_;$6#v?$6#v?$=gd
API String ID: 0-177951580
Opcode ID: 0b7a9d4fad2b82b3ac7142be3af5869cf4db4f83e3edfaa2c13f84f283c8e09f
Instruction ID: ba42d66c2077802a4745257ed731491f1e787023800480b2e1f83cefd5422d5b
Opcode Fuzzy Hash: 0b7a9d4fad2b82b3ac7142be3af5869cf4db4f83e3edfaa2c13f84f283c8e09f
Instruction Fuzzy Hash: B9B204F360C2049FE7086E2DEC8567ABBE5EF94320F164A3DEAC5C3744EA3558058697

Function 00F892F3 Relevance: 9.0, Strings: 6, Instructions: 1547COMMON

Download Yara Rule

Strings

k;g7, xrefs: 00F89E00
cz], xrefs: 00F89BF1
}]g, xrefs: 00F8A551
E1nU, xrefs: 00F8A42D
'W Y, xrefs: 00F89706
P9Z., xrefs: 00F89520

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 'W Y$E1nU$P9Z.$cz]$k;g7$}]g
API String ID: 0-184092627
Opcode ID: ba24bfbb07df04d43397276f93b2e9ff91aa04e2cd8ac81b682651c1a1698ccf
Instruction ID: 350befe9e64f0d24e6aed44dbb1d21b855e483e6b85dbff5caf67e67ab51a1d4
Opcode Fuzzy Hash: ba24bfbb07df04d43397276f93b2e9ff91aa04e2cd8ac81b682651c1a1698ccf
Instruction Fuzzy Hash: 94B2E6F360C2049FE318AE19EC8567ABBE9EF94720F1A453DEAC4C7740E63558058797

Function 00DB12F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

@, xrefs: 00DB3531
0, xrefs: 00DB243E
0, xrefs: 00DB1DC1
i, xrefs: 00DB28EA
0, xrefs: 00DB1E88

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 862ac329e35202ae622e688f6d0e47ab31d342ae67454b9c4e57569f5a9a5597
Instruction ID: f366d5298215f53409bae0b87b33d273df01e81d93a0bc54df96406482b3e861
Opcode Fuzzy Hash: 862ac329e35202ae622e688f6d0e47ab31d342ae67454b9c4e57569f5a9a5597
Instruction Fuzzy Hash: 8E62C27260C381CBD319CE28C4907AABBE1AFD5344F188E1DE8DA87391D774D949CB62

Function 00DB164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

+, xrefs: 00DB1573
0123456789ABCDEFXP, xrefs: 00DB164F
gfff, xrefs: 00DB1F3C
gfff, xrefs: 00DB1F57
0123456789abcdefxp, xrefs: 00DB1659

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: f559d2f2cc11c77aea00b7ca911fc94baa3660794caed9ab229b51f95f2126bf
Instruction ID: 2a941f74bf301af1ffb020c06cb6f4fb94d7cbfa16ad4dcc1159c6f8a504740c
Opcode Fuzzy Hash: f559d2f2cc11c77aea00b7ca911fc94baa3660794caed9ab229b51f95f2126bf
Instruction Fuzzy Hash: 31F1A13560C381CFC715CE28C4942AAFBE2AFD9304F588A6DE4DA87356D734D945CBA2

Function 00DB13A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 00DB13A3
gfff, xrefs: 00DB1F3C
gfff, xrefs: 00DB1F57
-, xrefs: 00DB1F23
0123456789abcdefxp, xrefs: 00DB13AD

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 3854937b07129c0208ac26741fe914e3cbd11cf6a85777c97cdc74867a0d7c61
Instruction ID: 7163a50226785d624f15ced21dcccf91fe2126362ee6667a3b5c702429ed9b1b
Opcode Fuzzy Hash: 3854937b07129c0208ac26741fe914e3cbd11cf6a85777c97cdc74867a0d7c61
Instruction Fuzzy Hash: 82D1913560C7818FC715CE29C4942AAFFE2AFD9304F08CA6DE4DA87356D634D949CB62

Function 00DDFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

:, xrefs: 00DE0087
uvw, xrefs: 00DDFE95
NA_I, xrefs: 00DE036D
m1s3, xrefs: 00DDFEC3, 00DDFECB

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: b877f8c023f2da56ccbc8dc98e467562de6dc35ff16eaad1c03f81d2f09a99e2
Instruction ID: cb43325b927d5e789cd13dcf9bad96b3163c2428651692ad9b41d8b83020d23a
Opcode Fuzzy Hash: b877f8c023f2da56ccbc8dc98e467562de6dc35ff16eaad1c03f81d2f09a99e2
Instruction Fuzzy Hash: 0C32BBB0508380DFD301EF2AD880A2ABBF5EB89300F18495CF5D59B292D376D985CF62

Function 00DC3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DC3EC4
;z, xrefs: 00DC3C87
p, xrefs: 00DC3C80
ss, xrefs: 00DC3C79

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 4d34f1c4736c024359c021f72d9a68d60090ec572c9e946e493cad3377ff645f
Instruction ID: 1dbfc890fa1c23d90cb0b87719954d378218b93cd43186d8d965d286c0649ca5
Opcode Fuzzy Hash: 4d34f1c4736c024359c021f72d9a68d60090ec572c9e946e493cad3377ff645f
Instruction Fuzzy Hash: 49025AB4810B00DFD7609F28D986B56BFF5FB01300F54895DE89A9B696E331E419CBA2

Function 00DD2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

sj, xrefs: 00DD2327
hu, xrefs: 00DD232F
a|, xrefs: 00DD2317
lc, xrefs: 00DD2507

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 2f05810d938d4248a27fc09f908e960a368992b47c2e690416ace5d892287407
Instruction ID: 05928dddc5048f96cc8881f34e5e9028ea536bfc00fc295278261db6a91698b6
Opcode Fuzzy Hash: 2f05810d938d4248a27fc09f908e960a368992b47c2e690416ace5d892287407
Instruction Fuzzy Hash: B8A159744083418BC720DF18C891A2BB7F0FFA6754F589A0DE8D99B391E339D945CBA6

Function 00F75109 Relevance: 5.4, Strings: 3, Instructions: 1607COMMON

Download Yara Rule

Strings

um6, xrefs: 00F75C07
x_, xrefs: 00F75802
yw?, xrefs: 00F7523F

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: um6$x_$yw?
API String ID: 0-1176769550
Opcode ID: 9e033a228909c458aaf2c5bc957d310485c2673922d388dfac8fc1cb55025589
Instruction ID: 8ac774a48cab39e599052b7fbf6bfda851c1a0a5db53c3f9e567c0095d5d57d6
Opcode Fuzzy Hash: 9e033a228909c458aaf2c5bc957d310485c2673922d388dfac8fc1cb55025589
Instruction Fuzzy Hash: FAB2F5F360C6049FE304AE29EC8577ABBE5EF94320F16893DE6C4C7744EA3598058697

Function 00DDD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

CV, xrefs: 00DDD98B
T>, xrefs: 00DDD984
KV, xrefs: 00DDD97D
#', xrefs: 00DDD9EA

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: a8ba875084c285dea490470c52e471297120fe09f8fd7992f44476357ae0e3e5
Instruction ID: 8f742062e47002a26bc4aad826cff095eee5b410e0bbfa0fe58402cce818e632
Opcode Fuzzy Hash: a8ba875084c285dea490470c52e471297120fe09f8fd7992f44476357ae0e3e5
Instruction Fuzzy Hash: 5C8155B48017459BCB20EFA6D28516EBFB1FF16300F60560DE4866BB55C331AA65CFE2

Function 00DDAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

lk, xrefs: 00DDACBC
4c2a, xrefs: 00DDACA9
,{*y, xrefs: 00DDAD07, 00DDAD13
(g6e, xrefs: 00DDACA1

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 476945cc652eed9581bbd89a351b1c172547d1368802ffd408b4c929a8343679
Instruction ID: bb2f4c2185eb926542c7e539d6b810eeb7007f7b66bd8567fd75bbc8fccd0073
Opcode Fuzzy Hash: 476945cc652eed9581bbd89a351b1c172547d1368802ffd408b4c929a8343679
Instruction Fuzzy Hash: 174157B4408381CBD7209F24D900BABB7F4FF86345F54995DE5C89B250EB36D948CBA6

Function 00DDC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 00DDC537
%*+(, xrefs: 00DDC9E4, 00DDC9ED
%*+(, xrefs: 00DDC8C3, 00DDC8CB

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: e8d6f979119ce124abec9e064d7aad6c09048d1d41d948f0d8e7e7f56caf62ab
Instruction ID: 02f081c841be35c634355d50e343434d77a5a107e7409e827e84f092f31406b4
Opcode Fuzzy Hash: e8d6f979119ce124abec9e064d7aad6c09048d1d41d948f0d8e7e7f56caf62ab
Instruction Fuzzy Hash: 84E196B5518345DFE3209F25E881B2BBBE5FB85340F48882DF6899B251D732D854CFA2

Function 00DB8590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 00DB8616
), xrefs: 00DB860C
IEND, xrefs: 00DB89F0

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 8cadc7e56f718cad56f79d780a4bfddfcdf5ef909ecdc05ad34148fd35908ba4
Instruction ID: c86557d1d09366e22e349e610a0adeccf5ece83bbbcc0c335099b970b0002cef
Opcode Fuzzy Hash: 8cadc7e56f718cad56f79d780a4bfddfcdf5ef909ecdc05ad34148fd35908ba4
Instruction Fuzzy Hash: C0E1C0B1A08702DFE710CF28C8817AABBE4FB94314F14492DE59697381DB75E914CBE2

Function 00DF4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DF40A4, 00DF40AD
f, xrefs: 00DF420C

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 03b9379950547e392de8fc3e7817bfb6e917b51a848260a2b6c39aaf14e704dd
Instruction ID: 610bd4903bd43600e96a15f541bc7e9232a9f8c00678d2c23dc3eeaf080bc089
Opcode Fuzzy Hash: 03b9379950547e392de8fc3e7817bfb6e917b51a848260a2b6c39aaf14e704dd
Instruction Fuzzy Hash: 7E12AA716083449FC714CF18C890B2BBBE2FB89314F198A2CF6949B291D771E945CBA2

Function 00DEF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 00DEF7F5
hi, xrefs: 00DEF6E6

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: c2730a16b4b184ad385d06db09b2380a0fd6520f85eda9dd1039fb3cc8eafc6d
Instruction ID: d68860d6ba6621b0bb86b7a6645c123091cdbbad0bcff7ac510ddc1dee158d34
Opcode Fuzzy Hash: c2730a16b4b184ad385d06db09b2380a0fd6520f85eda9dd1039fb3cc8eafc6d
Instruction Fuzzy Hash: 4BF19471618342EFE704DF26D895B2EBBE6FB85384F14892CF1859B2A1C735D845CB22

Function 00DB35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 00DB360E
Inf, xrefs: 00DB3607

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: d33aaf65f179d854a569dcd96b149b042389865fbcb43441cf08d8b9c243925c
Instruction ID: b6af58b2e295f29273c4d89201b9ee734481c64ff2cc2375841e27a8743e08d2
Opcode Fuzzy Hash: d33aaf65f179d854a569dcd96b149b042389865fbcb43441cf08d8b9c243925c
Instruction Fuzzy Hash: 4CD1E471A08311DBC704CF29C88065EBBE1EBC8750F258A2DF9DA973A0E671DD049B92

Function 00DCFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 00DD00F6
BaBc, xrefs: 00DD0197

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: ea1a177eb7b01703fcef40dc47efdb43033b27a9d92248b0c40526bb713c50b3
Instruction ID: 697c3d6564eade063a32c4bb880068ba10d77615d47f097238e5d544afe2f4cb
Opcode Fuzzy Hash: ea1a177eb7b01703fcef40dc47efdb43033b27a9d92248b0c40526bb713c50b3
Instruction Fuzzy Hash: 40519B716083819AD731CF18C881BABBBE0FFD6310F08891EE49A9B751E3749940CB67

Function 00E6D9A6 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

Nq_, xrefs: 00E6DAE8
z3k, xrefs: 00E6DA16

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: Nq_$z3k
API String ID: 0-3299733291
Opcode ID: f7836c9046746582fcea5dda9bef523e739896944499a4bc1b81caffcb4e029e
Instruction ID: 58107e7f09ef60c74afee923a705300d6c155b4cc6d7591051924711f7d86b5d
Opcode Fuzzy Hash: f7836c9046746582fcea5dda9bef523e739896944499a4bc1b81caffcb4e029e
Instruction Fuzzy Hash: 31412AF3A082009FF3049E29DC4473BB7D6DBD4320F26C93DEA9587784E93998458742

Function 00DB5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00DB54C8

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: a433efc0d912aaa3ebcede82db9008a25807a2663566b4f2f0a63a942f1556ba
Instruction ID: bb2b1414408c929c3f9197bbe89d699bfb8b5850bb141e0466c32ff930e71ffe
Opcode Fuzzy Hash: a433efc0d912aaa3ebcede82db9008a25807a2663566b4f2f0a63a942f1556ba
Instruction Fuzzy Hash: 5622F9B5A08B42CBE7158E18E4407A6BBE2AFE0304F1D856DD89B4B349EB71DC45C761

Function 00DE12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00DE15D1

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: b84c2b3d2a85e101d917f7544cf1f6ec03a02b2629bf426a8a97fec66f591e9a
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 13F14775B083819BC724EE26C49066BBBE6AFC5350F1CC56DE89A87382D634DD05C7B2

Function 00DDAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DDB2D3, 00DDB2DB

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: cc181932961366496dea64239726648453824c0a1d5eb993f94f0fe237f80df9
Instruction ID: 38b2eb060d3bb8509ce73182e3f070ce4679e6c10f6126f666cfaf9ebe5c555e
Opcode Fuzzy Hash: cc181932961366496dea64239726648453824c0a1d5eb993f94f0fe237f80df9
Instruction Fuzzy Hash: 85E1B871508306CBC314DF29C88056EB7E2FF99795F59891EE4C587320E331E999DBA2

Function 00DC6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DC6EF3

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: fd61d36e3d1a58b97f67e3ada045cdff6eefaf0c99e5305880866397c01fe0d1
Instruction ID: ceee901f40c3fc9b728784be657269227b2c936b6a279553af8b49b6c77fdd86
Opcode Fuzzy Hash: fd61d36e3d1a58b97f67e3ada045cdff6eefaf0c99e5305880866397c01fe0d1
Instruction Fuzzy Hash: D5F18EB5600B02CFD724DF28D891A26B7F6FF48314B188A2DE59787791EB31E815CB61

Function 00DD7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DD8263, 00DD826B

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 1ceec4adf7c3d2af6324051ca29d6f085f6fe60cf40b8504a90cf47b2ef42261
Instruction ID: 35074dcf7c701397349bf52f94728793827c702a72fb067b43d2f28fecb5fa98
Opcode Fuzzy Hash: 1ceec4adf7c3d2af6324051ca29d6f085f6fe60cf40b8504a90cf47b2ef42261
Instruction Fuzzy Hash: B0C1CF71908300ABD722AF24C882A2BB7F5EF95754F488819F8C597351E735ED05EBB2

Function 00DD8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DD9233, 00DD923B

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 8e0c82fb981c145a28479f538314985abd1fb98e22b5cb489d206ac2a3461fd9
Instruction ID: e8bf7feba4c6e376f9f6aa5181637b7b07664ea9d93b0b0faef46dea0e7eef5f
Opcode Fuzzy Hash: 8e0c82fb981c145a28479f538314985abd1fb98e22b5cb489d206ac2a3461fd9
Instruction Fuzzy Hash: 8CD1DB70618302DFD704DF69DC90A2AB7E5FF89304F49886DE88697391DB32E994CB61

Function 00DF7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00DF8167

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 8811227ade14bfff84e2f59a3841fbfbd8cb1a7e200ae23a6e6b2cdc7fcbb1b6
Instruction ID: 30833f19afa9c74b93f9dd9644a4630e426784cbf22f58238de0c4f292583083
Opcode Fuzzy Hash: 8811227ade14bfff84e2f59a3841fbfbd8cb1a7e200ae23a6e6b2cdc7fcbb1b6
Instruction Fuzzy Hash: 67D1F8329082694FC715CE18D85072FB6E2EB85718F1AC62CE9A5AB390CB71DC45D7E2

Function 00DDCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DDCDC3, 00DDCDCB

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: dc4bb4dad5831f9a64bc0aaf9676dd100ce979812bd74b16ecbc10f3c2d8aa3c
Instruction ID: ac02702523856ab185bfa1b8c88024c588e55e0db954816d92bbc914ac9b4955
Opcode Fuzzy Hash: dc4bb4dad5831f9a64bc0aaf9676dd100ce979812bd74b16ecbc10f3c2d8aa3c
Instruction Fuzzy Hash: 05B1DF706193028BDB14DF28D880A2BBBE2EF95340F18582EE5C59B351E335D855CBB2

Function 00DBA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00DBA9C3

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 27d945e45108869c731add042f0bd1de0749ba648957547992cc9060c30266d1
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: CAB11871108381DFD325CF18C88065BBBE1AFA9704F488A2DF5DA97742D671EA18CB67

Function 00DEFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DEFCA4, 00DEFCAD

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 809225cf810dba879c0b23fe017cddedfb2bec5c50351509f332743322e10ec4
Instruction ID: 90d0c126a67ab6ae8fbd28f7e5376f0e5890a25209404bde6bf7301f1052231c
Opcode Fuzzy Hash: 809225cf810dba879c0b23fe017cddedfb2bec5c50351509f332743322e10ec4
Instruction Fuzzy Hash: 6381DC71208345AFD710EF5AD884A2ABBE5FB99741F18882CF6C4A7291D731D858CB72

Function 00DCD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DCD663, 00DCD66B

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e1267673997d5997a030fe7e9f2898a5a1791c89592fa6b5e63283d9fc92168c
Instruction ID: 26acd855ac700eea1bd3a53461651b99b766d064f7a323b22bfe612b48f5ec88
Opcode Fuzzy Hash: e1267673997d5997a030fe7e9f2898a5a1791c89592fa6b5e63283d9fc92168c
Instruction Fuzzy Hash: F161EF72919205DFC710AF18DC42B3AB3B2FF95354F08082DF9869B251E331E904CBA2

Function 00DF4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DF4C33, 00DF4C3B

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b2ce899805faf9abd3f93df53f84fdfadc9c4a3536e3928a809bd1169a52e145
Instruction ID: e3bc62568353a60e153724d432d746386ee0c02db4cba1fd8f2225dd80bd6333
Opcode Fuzzy Hash: b2ce899805faf9abd3f93df53f84fdfadc9c4a3536e3928a809bd1169a52e145
Instruction Fuzzy Hash: 1061C0716093099BD710DF19D880B3BB7E6EB84314F1AC91CE6C987292D771EC51CB62

Function 00DBE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00DBE333

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 8da83c2b51cedbcd565b2e026ad9694472a3eaeb78327eaee3283c9703926d57
Instruction ID: fb72bd095a17e16a95b222be52ead58679af5bb574d6ac276ac9914099eee54a
Opcode Fuzzy Hash: 8da83c2b51cedbcd565b2e026ad9694472a3eaeb78327eaee3283c9703926d57
Instruction Fuzzy Hash: E7512323A196908BD328997D4C553EABBC70FA2334B3DC769E9F2CB3E5D555C80093A0

Function 00DF3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DF39E3, 00DF39EB

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 00fa023d3078fd9d7b4f56196173dddf63e01065c3ac61bbe146835934708f2b
Instruction ID: f1ef15d7029679f18b9ef21eb1cbf1d308b597e078fc30f299e1990de11ca78a
Opcode Fuzzy Hash: 00fa023d3078fd9d7b4f56196173dddf63e01065c3ac61bbe146835934708f2b
Instruction Fuzzy Hash: 43519D306093449BCB24DF1AD884A3ABBE5EB85744F1AC81CE6C69B251D372DE50DB72

Function 00DC1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00DC1C3E

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 7350970b4e9f66e7eb913d1ad6033afda19da05a485fddf9fd9017f7085c6883
Instruction ID: cfc28b1792b3d41544a949c9b9610b9dba206e7de5ca84415f0bf132656b2a98
Opcode Fuzzy Hash: 7350970b4e9f66e7eb913d1ad6033afda19da05a485fddf9fd9017f7085c6883
Instruction Fuzzy Hash: 684141B80083919BC7149F69C894A2FBBF0FF96314F08991CF5C69B291D736C915CB66

Function 00DEFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DF0033, 00DF003B

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: cb1935afabd1e6bd8d8c4a1fd490dc445594800efcedb761fff8ecf9d104d53b
Instruction ID: 4cd2492f113dbb42d9715e6a88468339a3ff77a58e61b1bfb583620910988e7c
Opcode Fuzzy Hash: cb1935afabd1e6bd8d8c4a1fd490dc445594800efcedb761fff8ecf9d104d53b
Instruction Fuzzy Hash: 1131C5B1904309ABD710EA14DC81B3BBBE9EB85744F598828FA89D7253E632DC14C773

Function 00DDE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00DDE6A2

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: f9a87f5184080c66d5afa60a963327225302f0a6f1aee0caab88da6b8b1b4cee
Instruction ID: 02fee147692e8149b2c7c2d95f794681c70f1e6578491eb51a83ea40c4d0a146
Opcode Fuzzy Hash: f9a87f5184080c66d5afa60a963327225302f0a6f1aee0caab88da6b8b1b4cee
Instruction Fuzzy Hash: 2031B4B5A00205DFDB20EF95E8805AFB7B5FB5A745F58086DE446AF301D332A944CBB2

Function 00DC6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00DC703B

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 533223454bffdc43ac5031b2ddc4b4f425c962231fd12abab73168b9e0770fb7
Instruction ID: aee31ccccd7726a55c54f2f65433b3782d96767106c9e4ca91d6bccc8c5a8f76
Opcode Fuzzy Hash: 533223454bffdc43ac5031b2ddc4b4f425c962231fd12abab73168b9e0770fb7
Instruction Fuzzy Hash: 8E413671204B059FD7358B65D995F27BBF2FB09701F18881CE5869B6A1E332E8009F20

Function 00DDE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00DDE6A2

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: f4fd6bfee2cd11403c4b8596c75d04bc0da0033b11079dbdea9474f08c355573
Instruction ID: 1c430fb9f058812660c26acb5f982d7dbfff9248b1934eca49536e0196ab490a
Opcode Fuzzy Hash: f4fd6bfee2cd11403c4b8596c75d04bc0da0033b11079dbdea9474f08c355573
Instruction Fuzzy Hash: 26219CB5A00204DFC720EF95D9809AFBBB5FB5A745F58085DE486AB341C336A944CBB2

Function 00DF9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00DF9D30

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 4a0ca7d11bc76b95721f55f998259432259c47cc28a7bfe0184de3c607d69983
Instruction ID: 757ea7cae653d73305bc1b3c08c003a0329f6482d71d64c5e0133222e9990885
Opcode Fuzzy Hash: 4a0ca7d11bc76b95721f55f998259432259c47cc28a7bfe0184de3c607d69983
Instruction Fuzzy Hash: 9A3167709083049BD710EF19D890A2BFBF9EF9A314F29892CE6C897251D375D944CBA6

Function 00DC4E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c123cb07b4f915fa6657b90788788be4094bc96c8f4df053bf508f57e1b851f
Instruction ID: 7d2964f7f794192b453a314897a20b76604e9e34f7d1d46a23569199c8d2fbb9
Opcode Fuzzy Hash: 3c123cb07b4f915fa6657b90788788be4094bc96c8f4df053bf508f57e1b851f
Instruction Fuzzy Hash: 406245B4510B418FD725CF28D990B26B7E6AF4A700F58892CD49B8BA56E774F844CBA0

Function 00DBBEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 25f9747ca3ac839228bf04d4ba36570488689517841e113e27aaebfa0bce6e80
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 4B520731A18711CBC7259F18D4402FAB3E1FFC9319F295A2DD9C793290E734A851CBA6

Function 00DF8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0989670297932bdd7a2ea91610c48e2d3ae97d4d438607547a54e5ef71d4a78f
Instruction ID: 027f3981e05d3daa7b4674010d5cca9aa9eac69daaafdc46eb048cbe0081e2e3
Opcode Fuzzy Hash: 0989670297932bdd7a2ea91610c48e2d3ae97d4d438607547a54e5ef71d4a78f
Instruction Fuzzy Hash: 5522F0B5609344CFC704DF69E99062AF7E1FF89305F0A886DE689973A1C732D894CB52

Function 00DF86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046de4bc28720145990e54c2a4f3f6d2c6aef53b9322667e5a517e1998a6a88c
Instruction ID: 4f5a71476d4f739732ca3d8b7f73d344e1b3f1d0dc3cc34475300e5f1010e975
Opcode Fuzzy Hash: 046de4bc28720145990e54c2a4f3f6d2c6aef53b9322667e5a517e1998a6a88c
Instruction Fuzzy Hash: C322DFB5609344CFC704EF29E99062AF7E1FF89305F0A882DE685973A1C736D894CB52

Function 00DBB3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17ebf581caa54411f681803ba7253778e54561bd54025b4a4b31b81917040f1
Instruction ID: 492074a36b9c7b62a7443ffac9b3e301106dfaaaa040830a1441080c45c65224
Opcode Fuzzy Hash: b17ebf581caa54411f681803ba7253778e54561bd54025b4a4b31b81917040f1
Instruction Fuzzy Hash: 05529570908B84CFE735CB24C4947E7BBE1EB91324F184D2ED5D706A82C7B9A985CB61

Function 00DB71F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39f149341b973f600dd440e4057ffe1e46568fa7b54deba861ccdd3044da77a
Instruction ID: 6d0954b4e893bcce222c418128c00c42f5a0af530c14213417dbec364ec0c2a2
Opcode Fuzzy Hash: e39f149341b973f600dd440e4057ffe1e46568fa7b54deba861ccdd3044da77a
Instruction Fuzzy Hash: 40529C3150C345CBCB15CF29C0906EABBE1BFC8314F198A6DE89A5B351D774E989CBA1

Function 00DB8FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be86a6cf607aea0ba488fef9da9d45b64e30bd7caf627e874874bdde60126240
Instruction ID: a5f3ed78fb6f1e753a4b0871b2dc884735ed115d038b6f1ce701511f8a4ec474
Opcode Fuzzy Hash: be86a6cf607aea0ba488fef9da9d45b64e30bd7caf627e874874bdde60126240
Instruction Fuzzy Hash: 8F427675608341DFD704CF28D8647AABBE1BF88315F09886CE5868B3A1D735D985CF62

Function 00DB7BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025148378f9592dea1f20e99487a17718d2ea334083ea705eeb5cd1da5f17d09
Instruction ID: 98d27232ee6a95b35de9928edbbe01a9057d09658afada38c19afa6c117d2744
Opcode Fuzzy Hash: 025148378f9592dea1f20e99487a17718d2ea334083ea705eeb5cd1da5f17d09
Instruction Fuzzy Hash: 71323170519B11CFC328CF29C5905AABBF2BF85700B644A2ED6A787B90D736F845DB24

Function 00DF89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c8830c4d8e1eb560cf6b8347dff8971762e15954b63ad8430bd00a51e6502b
Instruction ID: d38dcf0140b6a7451bf6d379ddbc4bf0ddc3e0fcca678b2b8fb74ad632a4dac4
Opcode Fuzzy Hash: e6c8830c4d8e1eb560cf6b8347dff8971762e15954b63ad8430bd00a51e6502b
Instruction Fuzzy Hash: F702CDB4608344DFC704EF69E99062AFBE1EF89305F09896DE6C497361C736D854CB92

Function 00DF8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe89d3500a84e4c924b5025004875085941a78b3ec4f1e00bc324257f5d36af
Instruction ID: 4a93aef508218843e4ef48c02d42d13b1675b94379bac590e748beb895fa27f1
Opcode Fuzzy Hash: 6fe89d3500a84e4c924b5025004875085941a78b3ec4f1e00bc324257f5d36af
Instruction Fuzzy Hash: CFF1ACB0608344DFC704EF29D99062AFBE1EF8A305F09892DE6C597261D736D954CBA2

Function 00DF8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e31e436c794697b7791c0125e538a78884ec29fc69ee0e1ac30fabe3129efb
Instruction ID: f97043cab25c61c29e6fc457f5c518b3a8d5089af7295e057177cfdfee1cbfca
Opcode Fuzzy Hash: 66e31e436c794697b7791c0125e538a78884ec29fc69ee0e1ac30fabe3129efb
Instruction Fuzzy Hash: 26E1CFB1A08340CFC704DF29D99062AF7E1EB89315F0A896CE6C9973A1D736D954CB92

Function 00DBA300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 7ec33c9adc3e1da81841e993674935686dd2d827ab422d4c1bda4d200b2ac8ef
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 9DF19D75608741CFD724CF29C88166BBBE6BFD8300F48882DE4D687751E635E945CB62

Function 00DF8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7d4b2767407dd57b10bbf5ff2220194ce528a6004004eb6624a76657e872df
Instruction ID: 78542939820fa5bbdad95304f0dff58f016eecba7320d0a4a2bac464610579f4
Opcode Fuzzy Hash: 4c7d4b2767407dd57b10bbf5ff2220194ce528a6004004eb6624a76657e872df
Instruction Fuzzy Hash: 34D1CD7060C344DFC304EF28D99062EFBE5EB8A305F09896CE6C5972A1D736D854CBA2

Function 00DC4487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ed4fbf255800543b7e8a418313735058384d14660e01981651682780cf9f51
Instruction ID: 7a533666ac5248ed1649cfff3b44a5447f9b29db634a6350d7b9ff35a1e3d7ba
Opcode Fuzzy Hash: f6ed4fbf255800543b7e8a418313735058384d14660e01981651682780cf9f51
Instruction Fuzzy Hash: 6AE1EFB5511B008FD325CF28D9A6BA7B7E1FF06704F04886DE4AACB752E735A814CB64

Function 00DF6CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3820d24d20e1ed3985715125152a9d53d126820b05051591ddeab3c0cc607d61
Instruction ID: f5306f0dd8ce2f8e559052f1032d7753ab9b763ced580e167532b1b93eb2c389
Opcode Fuzzy Hash: 3820d24d20e1ed3985715125152a9d53d126820b05051591ddeab3c0cc607d61
Instruction Fuzzy Hash: 00D1F236618355CFC710CF39D8C052AB7E6AF89314F098A6DE991E7391D331DA88CBA1

Function 00DF7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848dcc3fac847bf16cde1b3dd0b7fbb5cae063fb074564a4897f3c16476e22a3
Instruction ID: 8287de2fe2522206017c23be5af8ad9ed7c552960b3e39fdb2d526478fc3e57f
Opcode Fuzzy Hash: 848dcc3fac847bf16cde1b3dd0b7fbb5cae063fb074564a4897f3c16476e22a3
Instruction Fuzzy Hash: ADB10672A0C3548BE314DA28CC417BBB7E5EBC5314F0A892DFA9997381E735DC0587A2

Function 00DBAF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: a5ea71639620641e283727fe8f5832365b3b984bc4b7ba45d82c2385e362ce0d
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 53C17C72A18741CFC360CF28CC96BABB7E1BF85318F08492DD1DAC6242E778A155CB15

Function 00DC6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67107bebc386d458e7daff004e6ae0e12b254ed7dcabf49bdaeabf992646b68e
Instruction ID: b87145ee9ca26894b89fb4c98cad2807c633ad313904e158bcf8b88aedf6e840
Opcode Fuzzy Hash: 67107bebc386d458e7daff004e6ae0e12b254ed7dcabf49bdaeabf992646b68e
Instruction Fuzzy Hash: 45B101B4510B408BD325CF28C981B67BBF1EF46704F54885CE8AA8BB92E775F805CB65

Function 00DF7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3323e0027bb8c8bd36cea3390ea64f1968e1f8536e313ba1b38a521689897c0
Instruction ID: d05686207d25cee99b9f28b508a4231fe17929ad2d49b279b29de0d0d9cf54a7
Opcode Fuzzy Hash: c3323e0027bb8c8bd36cea3390ea64f1968e1f8536e313ba1b38a521689897c0
Instruction Fuzzy Hash: 2F917D71608305ABE720DB15D840BBBBBE6EB85354F59881CFA8897351E730E954CBA2

Function 00DFA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd1080640b7a564c4687ae2592663ff25effb1c89b5b2cce480e67299bafac5
Instruction ID: 616b6a603be1636e912b0f6d3762d24d0837cdb39856fef0635e21e264011d52
Opcode Fuzzy Hash: fcd1080640b7a564c4687ae2592663ff25effb1c89b5b2cce480e67299bafac5
Instruction Fuzzy Hash: 13816E742087059FD724DF6CD880A3AB7E5EF55740F4AC91CEA898B251E731EC50CBA2

Function 00DE64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05abbffec80e707340a8022f5d3fec4024fe5eaea725e9020829e152e005252c
Instruction ID: 4f7fa2d6dc935c2a19cf171888fbcc5bba66a849506732d7b7adf11cf1049004
Opcode Fuzzy Hash: 05abbffec80e707340a8022f5d3fec4024fe5eaea725e9020829e152e005252c
Instruction Fuzzy Hash: DA71D633B29AD04BC314AD7D4C463A5BA935BE6374B3DC3B9A9B4CB3E5D529C8064360

Function 00DD28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562d8294a5f5c28e228b8c1f717076c45333e9244096fa5780c04a1e19a60954
Instruction ID: a534f1f882070c8f2fd0239a3bb2a2b3cc55ac4024489d91135a3db8b3edeabd
Opcode Fuzzy Hash: 562d8294a5f5c28e228b8c1f717076c45333e9244096fa5780c04a1e19a60954
Instruction Fuzzy Hash: 5C6168B44183509BD310AF19D851A2BBBF1FFA6750F08491EF4C59B361E33AD914CB66

Function 00DD7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f52d57fe6f28f18264bdd698d0e67ac1473f6399ed569587c05a8c770327c88
Instruction ID: 6329205f41d07fb433d20e971014f448d560c8f6a50a89b6ba744edcc543ec85
Opcode Fuzzy Hash: 4f52d57fe6f28f18264bdd698d0e67ac1473f6399ed569587c05a8c770327c88
Instruction Fuzzy Hash: FC51BFB16182049FDB209B28CC92BB733B5EF85364F184999F9868B391F375D805C771

Function 00E695A4 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ac8693515e2eefd7cb0bc2cb8f7dc2a5dbd664fcbc44e0b4b57048dee7ec5a
Instruction ID: 340a1e443cf799b0422dbb2d11ea0e0c29d95fff96ce525da210aa48ff2aeb40
Opcode Fuzzy Hash: e4ac8693515e2eefd7cb0bc2cb8f7dc2a5dbd664fcbc44e0b4b57048dee7ec5a
Instruction Fuzzy Hash: C4616EF3E096109FE3042E2DDC843AAF6D6EFD4320F2B463DD6C497784D97958058692

Function 00DE1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 83a225c7a057b2fa1b269f8db2968f9542cff4b12da67d200f80b92971d11150
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: D161E535709381ABD714EE2EC58072FBBE2ABC5350F58C92DE4D98B251D270DC469B61

Function 00EE9CF1 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b01f78d6bb883c28238301291adbe7b463ab22a10f36d268b67c3e81b2dacc
Instruction ID: 9142b440dd39bb6e5468fe0024cbd9cd9e8ec7ae018de826213b9ad46875b2a9
Opcode Fuzzy Hash: a1b01f78d6bb883c28238301291adbe7b463ab22a10f36d268b67c3e81b2dacc
Instruction Fuzzy Hash: 155129F3A183044BE30C6E3DEC59776BBD9E794320F1A463EEA96837C4ED3948054246

Function 00DE82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6ef71dad0e2ff3d00bb674e85a8b2bbcb29ae74a270bad052cafd62dfdb94c
Instruction ID: a93ecefef602a9d5899c47e14b4f07fa5e87adcfb1da9fedeb5e100221aaeded
Opcode Fuzzy Hash: 8a6ef71dad0e2ff3d00bb674e85a8b2bbcb29ae74a270bad052cafd62dfdb94c
Instruction Fuzzy Hash: 2F615A23A1EAD14BC315653E5C453AAAA835BD2730F3DC365D8F9CB3E4CD698801A361

Function 00E4F574 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b92854f0a020d0d86947d08d76e36ba9dd6809805ea7aaf490b5e35ade0b3d
Instruction ID: 7b36f79c084957975a8f1170d3571c5d70a0e5be387798b28fa0a06954f0b1f9
Opcode Fuzzy Hash: 94b92854f0a020d0d86947d08d76e36ba9dd6809805ea7aaf490b5e35ade0b3d
Instruction Fuzzy Hash: 5161A2F36182009FE304AE29DC857BBF7E5EFD4720F26493DE2C487644DA359841CA56

Function 00DC42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f649bdca63ff92cf6ee9ea64f8e59823cbbdb3cdfc93a77869a6ad3b462499fa
Instruction ID: 381c739d74b394531a873a3942d2d0788704c2d2a81fea1fe26215ec2c87e952
Opcode Fuzzy Hash: f649bdca63ff92cf6ee9ea64f8e59823cbbdb3cdfc93a77869a6ad3b462499fa
Instruction Fuzzy Hash: 1981C2B4811B00AFD360EF39D947797BEF4AB06201F404A1DE4EA97655E730A459CBF2

Function 00DEE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: b129d5a7ecf5eb4981e78d9a1ed8709733e087e9ccd540de04d1418346ebe2d4
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 44517CB16087548FE314DF69D89435BBBE1BBC5318F044E2DE4E983350E379DA088B92

Function 00DF7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b151158cdf710e2aad8fd48acd17a576d5e8211e39f2fa5400c896c1c770150
Instruction ID: d8071b1217228e00c4c6346aebda0395db45043d3d1b6cb02a0d8d3b36cd0954
Opcode Fuzzy Hash: 1b151158cdf710e2aad8fd48acd17a576d5e8211e39f2fa5400c896c1c770150
Instruction Fuzzy Hash: DF51E33160C204ABC7159E19DC90B7EB7E6EB85314F2D8A2CEAD597391D732EC148BB1

Function 00DB5A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654fd654c0e03affe0a645865dc8ee8a76b85882b65ba68350a17928cbd6364f
Instruction ID: a77c26d12108c3e70f4dff2de758e4a3659c25a7a3b66c5e8502ca0f2bb585bc
Opcode Fuzzy Hash: 654fd654c0e03affe0a645865dc8ee8a76b85882b65ba68350a17928cbd6364f
Instruction Fuzzy Hash: 7B51D571904704DFCB14DF14E890A6ABBA1FF85324F19466CF89B9B352DA31EC41CBA5

Function 00DDEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7694c90c39b176bdd28f53a61f201feebca85a85b6f6032683e2fbdbc6e4d9ca
Instruction ID: 6845d04ea03c2c7c730ae25f576de756fee97ea08f87319cc5469fc37e196dec
Opcode Fuzzy Hash: 7694c90c39b176bdd28f53a61f201feebca85a85b6f6032683e2fbdbc6e4d9ca
Instruction Fuzzy Hash: D241BE78900319DFDF209F58DC91BA9B7B1FF0A300F484549E945AF3A0EB38A950CBA1

Function 00DF9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208117bf83cabb7f11789ae909effff358eae87dc3c6ac4022074180cdd85c0d
Instruction ID: 5b82a439793411ee60c2114d4a7682ae8adda73cf0971344457760697ed4b0fe
Opcode Fuzzy Hash: 208117bf83cabb7f11789ae909effff358eae87dc3c6ac4022074180cdd85c0d
Instruction Fuzzy Hash: 78418E74A08344AFD7109B15D9A0B3BF7E6EB85714F1AC82CF68997251D331E851CB72

Function 00DC2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8f9c914b435bbb363c083bdca906c9531bc7272cf4faf4a443cf2222807ea9
Instruction ID: 0baf5ddb27ea2de446fadd39f17fdb5bccae6fc4d8dc355f6b409eea826857a8
Opcode Fuzzy Hash: 5e8f9c914b435bbb363c083bdca906c9531bc7272cf4faf4a443cf2222807ea9
Instruction Fuzzy Hash: 05410772A083664FD35CCE29849473ABBE2AFC4300F09C66EE4E6873D0DA758945DB91

Function 00DC1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399b20bc5f3cf562f3132d43a0891efad7607f26c4bae2cc6249fb7d1051113c
Instruction ID: b02466a96ebd095f86512b1ceab98b73b3a38106768c59e4bbc059cbf35f2242
Opcode Fuzzy Hash: 399b20bc5f3cf562f3132d43a0891efad7607f26c4bae2cc6249fb7d1051113c
Instruction Fuzzy Hash: B341EE755083809BD320AB59C884F2EFBF5FB86754F14491CF6C497292C37AE814CB66

Function 00DF8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1785b5ea3b4b831ae4ae489ceb1ec0d71f0f9adebc7e698f8fac6a845b2068f
Instruction ID: 229214e772a9e2c243b77df0c2dd80a09abac3076c77fb3f61fa2e905a32758e
Opcode Fuzzy Hash: a1785b5ea3b4b831ae4ae489ceb1ec0d71f0f9adebc7e698f8fac6a845b2068f
Instruction Fuzzy Hash: 9141B13160C2548FC704DF68C89053EFBE6AF99300F1A8A1DD5D9D72A1DB75DD058B92

Function 00DCD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afacb02b74836de7fdf295d47afb7b375d7c29d8a70582fb7f4cded5eb37da48
Instruction ID: 0b5416379b99fd78a47d0ee06cbc4ac70f38f5890293d06e76c1a868c3d72a25
Opcode Fuzzy Hash: afacb02b74836de7fdf295d47afb7b375d7c29d8a70582fb7f4cded5eb37da48
Instruction Fuzzy Hash: 2641ABB5508382CBD3309F14C881FABB7B1FFA6360F08096DE49A9B651E7754840CB67

Function 00DEF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 357789350815546f43d37633ffa4892fffec08115aa0edd536447c9eb7f6b040
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 2B2107329082644BC724AB5EC48163BF7E5EB99704F0AC63EE9C4A7295E3359D1487F1

Function 00DF67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ed0ed36fa9be003270619fee8563cd057fa2cc63bd8b574dc6a3e03f6cee0d
Instruction ID: de40f00ec789a2214c4ac3dad0169c5ee69e9f49e2ec01dc41976425e4ca5149
Opcode Fuzzy Hash: 37ed0ed36fa9be003270619fee8563cd057fa2cc63bd8b574dc6a3e03f6cee0d
Instruction Fuzzy Hash: 4F3136705183829AD714CF14C49066FBFF0EF96784F54980CF4C8AB2A1D334D985CBAA

Function 00DD5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eef4b22bcba0498b1817fe70d1d619f909658b261d0be3f5fc884cc2f6bfb5a
Instruction ID: bb4b110db140e4ebf3cf5997154e6b6e3caf19620aaf4421ddae87faa7fcc11e
Opcode Fuzzy Hash: 9eef4b22bcba0498b1817fe70d1d619f909658b261d0be3f5fc884cc2f6bfb5a
Instruction Fuzzy Hash: 3721AE705082019BD310AF28D85196BBBF4EF92765F488909F4D99B396E335DA00CBB3

Function 00DB49A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 050153b725d5523360e5b3d8fef1c5d67b60c4257e66cdd579a048c8ef617fe9
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 9731A231658200DBD714DE58D880AABB7E1EF84359F18892DE89BDB342D631DC52CB66

Function 00DF64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664fb4d4d1157665ec2ef9a2289650c571307c0913e7cfab8ddee435674c8920
Instruction ID: 9e7b04f961f2c75965a692ea81494137c4350af08bfe6f3518da3b3367409d33
Opcode Fuzzy Hash: 664fb4d4d1157665ec2ef9a2289650c571307c0913e7cfab8ddee435674c8920
Instruction Fuzzy Hash: 3C21557060C2449FC704EF1AD580A2EFBE6EB95740F2D881CE6C4A3661C331E854DB62

Function 00DEB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5ded142450cff691e2296d25c183f0dfe361b3b43e2d17ab85525d811f6ce212
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: D811E533A051E90EC7169D3D8440566BFE31AA3234B5D839EF4F89F2D2D7229D8A8374

Function 00DE0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: c7e1953ef9b85693d4768eff36e92b800ac8a45d1a6290a06b3151ad5b2e3089
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: BA0171F6A1034287E720BE5694D1B3BB6A8BF84718F1C452CE90A57202DBB5EC45C6B1

Function 00DDD1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472f16f8cce7fed30549417b797368c27470339b67d5d3a8b4e2f260277e26a1
Instruction ID: bcfb7356c360db372f372ce95cafc55c7f3c1ebfa11436dc62938c68eb185870
Opcode Fuzzy Hash: 472f16f8cce7fed30549417b797368c27470339b67d5d3a8b4e2f260277e26a1
Instruction Fuzzy Hash: 4D11EFB0408380AFD3109F61C484A2FFBE5EB96714F148C0DF6A45B251C375E859CF66

Function 00DB6EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e2518227aa081f6dae50196f007c656e8a57d54444b986ba9b2c1695b09bf7
Instruction ID: f7be959b33c0c8ae0de3e98402911e60cba8519e2ad0c8125f9104c3a514bf5c
Opcode Fuzzy Hash: a3e2518227aa081f6dae50196f007c656e8a57d54444b986ba9b2c1695b09bf7
Instruction Fuzzy Hash: 2BF0243A71820A4BA210CDAAE88087BB396DBC9364B09553DEA42C3201CD72E80282A4

Function 00DEB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00DCC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00DCB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 10aa5d4d17caa476705d7c1f0305650d21c39e8d97130f62e675a9ff8bf8242c
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 78F0A7B160C51557DB268A589C81F37BB9CCB86368F19042BE84557103D2619849C3F5

Function 00DE8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8961512a909e9349a3343971870c997f4f686f40800480b61cf13ce207e22ff8
Instruction ID: 52198f54c563e38215719544495a3ecf25ae24b54dc1b3df6d151ed39ce4a8e1
Opcode Fuzzy Hash: 8961512a909e9349a3343971870c997f4f686f40800480b61cf13ce207e22ff8
Instruction Fuzzy Hash: D201EFB0410B009FC360EF29C945B5BBBE8EB08714F018A1DE8AECB780D770A558CF92

Function 00DF1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: bad79d8735a7562c7303474624f3df979cb04d8489f4d2f9d54e7c922085a545
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: FED0A735608321869F748E19A400977F7F0EAC7B11F4ED55EF686E3148D230DC41C2B9

Function 00DC1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354f354ae4cab99c0c0c3a4706913a42c3ab4f8d8f530db6fcd559389db44b6a
Instruction ID: 7fcb889886287c05f8c0c8ded55d4e63f14fb8645a7820c775452776429c8459
Opcode Fuzzy Hash: 354f354ae4cab99c0c0c3a4706913a42c3ab4f8d8f530db6fcd559389db44b6a
Instruction Fuzzy Hash: 2EC01238A182018BC204CF41A895A32A2B8AB07208700A02AEA02F3362CA20C806D929

Function 00DF6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13ec62a209af6c77e47aa5e4d2c9ca4dd4fabc16dd34c07c10b92a98f0d1360
Instruction ID: 8e7f77ea8db36de323f734772ae4061a8719e0bb29d6d7bbac4e7ddb66e71203
Opcode Fuzzy Hash: e13ec62a209af6c77e47aa5e4d2c9ca4dd4fabc16dd34c07c10b92a98f0d1360
Instruction Fuzzy Hash: B2C08C3462C0008AD108CE16A800430F26ACF87608720B009C80233245C021C806881C

Function 00DC1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58407703510ebcd8ccfd6238a8086c62750464e48073de7818aa2eb987cc494b
Instruction ID: fc5f959a7028ab9280ffffb983ce2edc874ee41389ff2bbb540478172e85d277
Opcode Fuzzy Hash: 58407703510ebcd8ccfd6238a8086c62750464e48073de7818aa2eb987cc494b
Instruction Fuzzy Hash: AEC09B34A59245CBC244CF85E8D1531A3FC5707208710703E9B43F7362C560D405D51D

Function 00DF5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476194142.0000000000DB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000000.00000002.1476183259.0000000000DB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476221723.00000000010B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476438374.00000000010B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476540873.0000000001252000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476554763.0000000001253000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_db0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ab6f675a7742c9310f5d19c8f60e90930eb3850f13ed30196f5b2030b82dfa
Instruction ID: d6ad115de586c81d3f4d56553aace8763d89a50ebdbdb2d1fdb580eb8b3dac74
Opcode Fuzzy Hash: b2ab6f675a7742c9310f5d19c8f60e90930eb3850f13ed30196f5b2030b82dfa
Instruction Fuzzy Hash: FDC09224B690008FE24CCF2ADD51A35F6BEDB8BA1CB14B02DC806B3256D135D95A8A0C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 00DBFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00DBD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00DF5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00DF5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00DF695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00DC049B Relevance: .3, Instructions: 264
COMMON

Function 00DC0228 Relevance: .2, Instructions: 218
COMMON

Function 00DF3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00DF3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON