Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528584
MD5:	a897803efb207ab2eea75a982a75e9e3
SHA1:	f368e5e65ccc7e7a39443deab4a6655127c57d84
SHA256:	652d8125ed9fb67fa664e261af816b1eff355f9181131844502471f0bcc1c332
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1808 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A897803EFB207AB2EEA75A982A75E9E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["spirittunek.stor", "mobbipenju.stor", "dissapoiznw.stor", "eaglepawnoy.stor", "clearancek.site", "licendfilteo.site", "studennotediw.stor", "bathdoomgaz.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:08.151651+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49712	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:08.151651+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49712	172.67.206.204	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.435172+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.6	52858	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.381587+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.6	62355	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.416488+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.6	59242	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.406186+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.6	62007	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.516037+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.6	55446	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.395334+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.6	51493	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.449141+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.6	54348	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:22:05.425571+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.6	59325	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.1808.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["spirittunek.stor", "mobbipenju.stor", "dissapoiznw.stor", "eaglepawnoy.stor", "clearancek.site", "licendfilteo.site", "studennotediw.stor", "bathdoomgaz.stor"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: sergei-esenin.com	Virustotal: Detection: 11%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 17%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 13%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 13%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 13%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://sergei-esenin.com:443/apif	Virustotal: Detection: 11%	Perma Link
Source: https://clearancek.site:443/api	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://steamcommunity.com:443/profiles/76561199724331900	Virustotal: Detection: 8%	Perma Link
Source: https://mobbipenju.store:443/api	Virustotal: Detection: 17%	Perma Link
Source: https://studennotediw.store:443/api	Virustotal: Detection: 17%	Perma Link
Source: https://sergei-esenin.com/api	Virustotal: Detection: 12%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0040D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0040D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004463B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00445700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0044695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004499D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0040FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00410EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00444040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00401000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00416F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0043F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00446094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0042D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00422260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00422260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004142FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0040A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00441440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0042C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0042E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0041B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004464B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00429510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00447520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00416536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00408590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0043B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0042E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00447710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_004467EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0042D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004228E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0041D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00443920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_004049A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00444A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00405A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00411A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00411ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00449B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0041DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0041DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00413BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00411BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00430B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0042EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00427C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0043FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0042CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0042CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0042CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00449CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00449CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0042AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0042AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0042FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0042DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00448D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0042AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00427E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00425E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00414E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00411E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00406EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0040BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00416EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00429F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0043FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00447FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00447FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00408FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00445FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0041FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00416F91

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:55446 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:52858 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:62007 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:59325 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:54348 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:59242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:51493 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:62355 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49712 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.206.204 172.67.206.204

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.c
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/apiG
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mobbipenju.store:443/api
Source: file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apif
Source: file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2183447092.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store:443/api
Source: file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49712 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410228	0_2_00410228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00444040	0_2_00444040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401000	0_2_00401000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00412030	0_2_00412030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044A0D0	0_2_0044A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D	0_2_005D709D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F90A6	0_2_004F90A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E10B0	0_2_005E10B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405160	0_2_00405160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C3136	0_2_005C3136
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004071F0	0_2_004071F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E1A0	0_2_0040E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004382D0	0_2_004382D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004312D0	0_2_004312D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004012F7	0_2_004012F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A300	0_2_0040A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A03F9	0_2_006A03F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004323E0	0_2_004323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B3A0	0_2_0040B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004013A3	0_2_004013A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B544D	0_2_004B544D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4453	0_2_005D4453
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C470	0_2_0042C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004364F0	0_2_004364F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414487	0_2_00414487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041049B	0_2_0041049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C44B5	0_2_005C44B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00487555	0_2_00487555
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C5F0	0_2_0041C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408590	0_2_00408590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004035B0	0_2_004035B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040164F	0_2_0040164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448652	0_2_00448652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F620	0_2_0043F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DA620	0_2_005DA620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004486F0	0_2_004486F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DF69E	0_2_005DF69E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A850	0_2_0040A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431860	0_2_00431860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B8C0	0_2_0043B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E8A0	0_2_0043E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BF9CC	0_2_005BF9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042098B	0_2_0042098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004489A0	0_2_004489A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DC9AD	0_2_005DC9AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00444A40	0_2_00444A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048AAD1	0_2_0048AAD1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448A80	0_2_00448A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00447AB0	0_2_00447AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DB6F	0_2_0041DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407BF0	0_2_00407BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DDC5D	0_2_005DDC5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448C02	0_2_00448C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CCD0	0_2_0042CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00446CBF	0_2_00446CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00428D62	0_2_00428D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042FD10	0_2_0042FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DD29	0_2_0042DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042AE57	0_2_0042AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448E70	0_2_00448E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414E2A	0_2_00414E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BEB0	0_2_0040BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416EBF	0_2_00416EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040AF10	0_2_0040AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00447FC0	0_2_00447FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D1FD4	0_2_005D1FD4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408FD0	0_2_00408FD0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: file.exe	Static PE information: Section: hnuxtrfl ZLIB complexity 0.9942293233082706

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00438220 CoCreateInstance,

0_2_00438220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1872384 > 1048576

Source: file.exe

Static PE information: Raw size of hnuxtrfl is bigger than: 0x100000 < 0x19fa00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc :W;.idata :W; :EW;hnuxtrfl:EW;yeisysqm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;hnuxtrfl:EW;yeisysqm:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d0e1e should be: 0x1cb1c2

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: hnuxtrfl
Source: file.exe	Static PE information: section name: yeisysqm
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067306E push eax; mov dword ptr [esp], 7DFF5925h	0_2_00673097
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067306E push ebp; mov dword ptr [esp], ecx	0_2_00673100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067C05A push edx; mov dword ptr [esp], 304E6D00h	0_2_0067C08B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C10EE push ecx; mov dword ptr [esp], edx	0_2_006C113B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A00EE push 4AE3F1BCh; mov dword ptr [esp], eax	0_2_006A0120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A00EE push 5C5FDA77h; mov dword ptr [esp], edi	0_2_006A0176
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A00EE push ebx; mov dword ptr [esp], ecx	0_2_006A01F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006110CC push 32E81171h; mov dword ptr [esp], edx	0_2_006110EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 2678FAC4h; mov dword ptr [esp], ebx	0_2_005D7135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ecx; mov dword ptr [esp], ebx	0_2_005D718B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push esi; mov dword ptr [esp], edx	0_2_005D71EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 41F68980h; mov dword ptr [esp], ebp	0_2_005D72E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 5C2644B3h; mov dword ptr [esp], ebx	0_2_005D7312
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 6214EBF6h; mov dword ptr [esp], esi	0_2_005D73C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ebx; mov dword ptr [esp], edx	0_2_005D73C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ebp; mov dword ptr [esp], edx	0_2_005D73E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 1D9A60A2h; mov dword ptr [esp], ecx	0_2_005D73EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push edx; mov dword ptr [esp], 3FBDA363h	0_2_005D73F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ecx; mov dword ptr [esp], 7D8F25C3h	0_2_005D7438
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ecx; mov dword ptr [esp], 2CDDA3F5h	0_2_005D748E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push eax; mov dword ptr [esp], esi	0_2_005D74B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 13EC5B4Ah; mov dword ptr [esp], esi	0_2_005D74BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 45488A00h; mov dword ptr [esp], ebx	0_2_005D74E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push eax; mov dword ptr [esp], edi	0_2_005D75CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ebx; mov dword ptr [esp], 77F29272h	0_2_005D75CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push ecx; mov dword ptr [esp], esi	0_2_005D75E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 509878C8h; mov dword ptr [esp], edx	0_2_005D763C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push edx; mov dword ptr [esp], edi	0_2_005D76B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push edx; mov dword ptr [esp], ebp	0_2_005D76F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 657F48EEh; mov dword ptr [esp], esp	0_2_005D7703
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D709D push 4E07B045h; mov dword ptr [esp], ebp	0_2_005D776D

Source: file.exe	Static PE information: section name: entropy: 7.979615080227463
Source: file.exe	Static PE information: section name: hnuxtrfl entropy: 7.954227730835619

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463BE8 second address: 463BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D36BA second address: 5D370E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF20CB6C7D7h 0x00000008 jmp 00007FF20CB6C7D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007FF20CB6C7F5h 0x00000015 jp 00007FF20CB6C7DBh 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d jmp 00007FF20CB6C7D3h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D370E second address: 5D3714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3714 second address: 5D3718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5230 second address: 5E5234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5803 second address: 5E5807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8E4E second address: 5E8EB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007FF20D28CF36h 0x00000014 popad 0x00000015 pop esi 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FF20D28CF38h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 call 00007FF20D28CF3Ah 0x00000036 pop edx 0x00000037 mov dword ptr [ebp+122D3509h], eax 0x0000003d push 00000000h 0x0000003f mov dword ptr [ebp+122D3571h], edx 0x00000045 push 1E3154BCh 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e js 00007FF20D28CF36h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8EB3 second address: 5E8ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8ECD second address: 5E8F4C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF20D28CF38h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 1E31543Ch 0x00000013 mov cx, si 0x00000016 push 00000003h 0x00000018 xor dword ptr [ebp+122D3108h], ecx 0x0000001e mov di, cx 0x00000021 push 00000000h 0x00000023 sub dword ptr [ebp+122D399Bh], edx 0x00000029 push 00000003h 0x0000002b xor ecx, dword ptr [ebp+122D2B2Dh] 0x00000031 mov esi, dword ptr [ebp+122D2B19h] 0x00000037 call 00007FF20D28CF39h 0x0000003c jmp 00007FF20D28CF43h 0x00000041 push eax 0x00000042 jnp 00007FF20D28CF46h 0x00000048 jmp 00007FF20D28CF40h 0x0000004d mov eax, dword ptr [esp+04h] 0x00000051 jmp 00007FF20D28CF3Ah 0x00000056 mov eax, dword ptr [eax] 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9020 second address: 5E9024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9024 second address: 5E9033 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E915E second address: 5E9167 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9167 second address: 5E9198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20D28CF45h 0x00000009 popad 0x0000000a popad 0x0000000b pop eax 0x0000000c stc 0x0000000d lea ebx, dword ptr [ebp+12458D1Dh] 0x00000013 stc 0x00000014 xchg eax, ebx 0x00000015 push edx 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a pop edx 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9198 second address: 5E91A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E92AC second address: 5E92F8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF20D28CF3Ch 0x00000008 jnl 00007FF20D28CF36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF20D28CF46h 0x00000017 pop edx 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jmp 00007FF20D28CF46h 0x00000022 push eax 0x00000023 push edx 0x00000024 jns 00007FF20D28CF36h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E92F8 second address: 5E9318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9318 second address: 5E9369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FF20D28CF3Dh 0x00000012 pop eax 0x00000013 push eax 0x00000014 jmp 00007FF20D28CF44h 0x00000019 pop edi 0x0000001a movzx edx, bx 0x0000001d lea ebx, dword ptr [ebp+12458D28h] 0x00000023 mov ch, 51h 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9369 second address: 5E936F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAA5C second address: 5FAA62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAA62 second address: 5FAA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D8724 second address: 5D872E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607C25 second address: 607C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007FF20CB6C7D6h 0x0000000d jmp 00007FF20CB6C7D1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607C56 second address: 607C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF20D28CF46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607C75 second address: 607C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607DD5 second address: 607E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007FF20D28CF36h 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007FF20D28CF48h 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007FF20D28CF3Ah 0x0000001d push ebx 0x0000001e jmp 00007FF20D28CF3Fh 0x00000023 jmp 00007FF20D28CF41h 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607E2B second address: 607E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF20CB6C7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608209 second address: 608216 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608216 second address: 60821C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60821C second address: 608245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF20D28CF36h 0x0000000a jmp 00007FF20D28CF44h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FF20D28CF36h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608566 second address: 60856A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60856A second address: 60856E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60856E second address: 608590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF20CB6C7D8h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608590 second address: 608594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6086F0 second address: 6086FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6086FB second address: 608701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608701 second address: 60872C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 ja 00007FF20CB6C7C6h 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF20CB6C7D8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60872C second address: 608732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6088C8 second address: 6088CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6091B5 second address: 6091F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF20D28CF4Eh 0x0000000a jmp 00007FF20D28CF42h 0x0000000f jnc 00007FF20D28CF36h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 js 00007FF20D28CF36h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FF20D28CF3Fh 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 609386 second address: 60938C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60938C second address: 60939E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF20D28CF3Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60939E second address: 6093B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6093B8 second address: 6093C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jl 00007FF20D28CF36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6093C7 second address: 6093D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FF20CB6C7C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6093D6 second address: 6093E0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF20D28CF36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60E284 second address: 60E289 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60E468 second address: 60E476 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60E476 second address: 60E47A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60E47A second address: 60E4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF20D28CF46h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jne 00007FF20D28CF3Ah 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a pushad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d jmp 00007FF20D28CF44h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 je 00007FF20D28CF36h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60E4C9 second address: 60E4CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60E61B second address: 60E620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60F78F second address: 60F7AC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF20CB6C7C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF20CB6C7CDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60F7AC second address: 60F7B6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60F7B6 second address: 60F7CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF20CB6C7D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60F7CF second address: 60F7D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0C8D second address: 5E0CB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF20CB6C7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF20CB6C7D9h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 614C3E second address: 614C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF20D28CF36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 614C48 second address: 614C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6142D4 second address: 6142D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61494D second address: 614961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF20CB6C7C6h 0x0000000e jo 00007FF20CB6C7C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 614961 second address: 61496B instructions: 0x00000000 rdtsc 0x00000002 js 00007FF20D28CF36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 616785 second address: 61678F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF20CB6C7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61687C second address: 616880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 616880 second address: 61689D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF20CB6C7D1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61689D second address: 6168A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF20D28CF36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6168A7 second address: 6168DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF20CB6C7D9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6169F4 second address: 6169F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6169F8 second address: 6169FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 616CCC second address: 616CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6179E0 second address: 6179F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF20CB6C7D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 617B14 second address: 617B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618041 second address: 618045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618045 second address: 61804B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 619BCD second address: 619BEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FF20CB6C7C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6192E7 second address: 6192FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FF20D28CF3Ch 0x00000011 jng 00007FF20D28CF36h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61A654 second address: 61A658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61A658 second address: 61A66D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61A66D second address: 61A687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61A687 second address: 61A68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61B0EA second address: 61B12D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FF20CB6C7CCh 0x0000000f jp 00007FF20CB6C7C6h 0x00000015 popad 0x00000016 nop 0x00000017 mov esi, dword ptr [ebp+122D3116h] 0x0000001d xor dword ptr [ebp+122D3904h], edi 0x00000023 push 00000000h 0x00000025 stc 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D268Fh], ebx 0x0000002e mov edi, edx 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61B12D second address: 61B131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61B131 second address: 61B14B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FF20CB6C7C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61B14B second address: 61B179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FF20D28CF42h 0x00000010 jmp 00007FF20D28CF40h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C6CC second address: 61C6EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FF20CB6C7C6h 0x00000009 jmp 00007FF20CB6C7CCh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C431 second address: 61C435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61C6EB second address: 61C6F1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622220 second address: 622224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622224 second address: 622254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7CDh 0x00000007 jmp 00007FF20CB6C7CAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FF20CB6C7CBh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jo 00007FF20CB6C7C6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622254 second address: 622258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6256DF second address: 625717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, ecx 0x0000000c push 00000000h 0x0000000e jmp 00007FF20CB6C7D1h 0x00000013 push 00000000h 0x00000015 sub dword ptr [ebp+122D1903h], edi 0x0000001b mov bx, di 0x0000001e xchg eax, esi 0x0000001f push ebx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62662E second address: 626657 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF20D28CF3Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 625838 second address: 625842 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF20CB6C7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626657 second address: 62665D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62665D second address: 6266DE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF20CB6C7CCh 0x00000008 jnl 00007FF20CB6C7C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 pushad 0x00000012 mov ecx, 5660854Bh 0x00000017 mov dword ptr [ebp+122D26A0h], esi 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FF20CB6C7C8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a xor ebx, 631CA888h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007FF20CB6C7C8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c jmp 00007FF20CB6C7CDh 0x00000061 pushad 0x00000062 mov dh, F4h 0x00000064 popad 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 push ebx 0x0000006a pop ebx 0x0000006b push ebx 0x0000006c pop ebx 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6268D5 second address: 6268DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6268DB second address: 6268EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF20CB6C7C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6268EF second address: 6268F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629659 second address: 629702 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF20CB6C7CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FF20CB6C7C8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 add dword ptr [ebp+122D39FDh], esi 0x0000002d push 00000000h 0x0000002f call 00007FF20CB6C7D8h 0x00000034 or dword ptr [ebp+122D39CCh], ecx 0x0000003a pop ebx 0x0000003b mov dword ptr [ebp+12459573h], ebx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007FF20CB6C7C8h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d xor dword ptr [ebp+122D3A66h], ebx 0x00000063 xchg eax, esi 0x00000064 jc 00007FF20CB6C7DDh 0x0000006a pushad 0x0000006b jmp 00007FF20CB6C7D3h 0x00000070 pushad 0x00000071 popad 0x00000072 popad 0x00000073 push eax 0x00000074 pushad 0x00000075 push esi 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 628835 second address: 628846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF20D28CF3Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 628846 second address: 62884A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62A7AF second address: 62A7B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62A7B5 second address: 62A81E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FF20CB6C7CBh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007FF20CB6C7D6h 0x00000012 jmp 00007FF20CB6C7D0h 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FF20CB6C7C8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 or bx, 8BF9h 0x00000037 push 00000000h 0x00000039 movzx edi, ax 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+12456E57h], eax 0x00000044 mov dword ptr [ebp+122D30DCh], esi 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jng 00007FF20CB6C7C6h 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62A81E second address: 62A823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62A823 second address: 62A82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF20CB6C7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62A82D second address: 62A831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62AA2A second address: 62AA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62E7C0 second address: 62E7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62E7C4 second address: 62E7D2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF20CB6C7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DA63 second address: 62DA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF20D28CF36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DA6D second address: 62DAEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FF20CB6C7D2h 0x0000000f jmp 00007FF20CB6C7CCh 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D2285h], edi 0x0000001b push dword ptr fs:[00000000h] 0x00000022 ja 00007FF20CB6C7CCh 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov edi, esi 0x00000031 mov eax, dword ptr [ebp+122D0F21h] 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FF20CB6C7C8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D3A2Fh], esi 0x00000057 mov di, ADFEh 0x0000005b push FFFFFFFFh 0x0000005d or dword ptr [ebp+122D38F3h], edx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DAEB second address: 62DAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DAF1 second address: 62DAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63094A second address: 630954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF20D28CF36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630954 second address: 630958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630958 second address: 630966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630966 second address: 63097D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63097D second address: 630982 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FA8B second address: 62FA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FA8F second address: 62FA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FA98 second address: 62FA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 631894 second address: 63192D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF20D28CF38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FF20D28CF38h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jng 00007FF20D28CF3Ch 0x0000002d mov ebx, dword ptr [ebp+122D2F0Fh] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007FF20D28CF38h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f mov dword ptr [ebp+124593A9h], edi 0x00000055 push 00000000h 0x00000057 jmp 00007FF20D28CF49h 0x0000005c xchg eax, esi 0x0000005d jnl 00007FF20D28CF40h 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push ecx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63192D second address: 631932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632861 second address: 632867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632867 second address: 632884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632884 second address: 632907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop ebx 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FF20D28CF38h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D33F7h], eax 0x0000002f push 00000000h 0x00000031 movsx ebx, ax 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FF20D28CF38h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov edi, 526AEAFEh 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 ja 00007FF20D28CF38h 0x0000005d push esi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632907 second address: 63291A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007FF20CB6C7C8h 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6339D6 second address: 6339DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6339DA second address: 6339E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632A3C second address: 632AD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FF20D28CF38h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e js 00007FF20D28CF36h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov edi, 045090FFh 0x00000040 mov eax, dword ptr [ebp+122D16D1h] 0x00000046 push 00000000h 0x00000048 push eax 0x00000049 call 00007FF20D28CF38h 0x0000004e pop eax 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 add dword ptr [esp+04h], 0000001Dh 0x0000005b inc eax 0x0000005c push eax 0x0000005d ret 0x0000005e pop eax 0x0000005f ret 0x00000060 mov edi, 34752008h 0x00000065 push FFFFFFFFh 0x00000067 push edx 0x00000068 push ecx 0x00000069 mov dword ptr [ebp+122D2E7Fh], ecx 0x0000006f pop ebx 0x00000070 pop ebx 0x00000071 nop 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632AD2 second address: 632AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632AD6 second address: 632AF7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF20D28CF45h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632AF7 second address: 632B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jns 00007FF20CB6C7C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637532 second address: 637538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637538 second address: 637543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637543 second address: 637547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637547 second address: 637551 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638D60 second address: 638D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634A90 second address: 634A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634A94 second address: 634AA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jbe 00007FF20D28CF36h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63C8FE second address: 63C902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63C902 second address: 63C908 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643A7C second address: 643AC3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007FF20CB6C7C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ecx 0x00000011 jmp 00007FF20CB6C7D9h 0x00000016 pop ecx 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF20CB6C7D8h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643AC3 second address: 643AE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF20D28CF3Ch 0x00000008 jnc 00007FF20D28CF36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jl 00007FF20D28CF3Eh 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648C83 second address: 648C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648C97 second address: 648CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF20D28CF36h 0x0000000a jmp 00007FF20D28CF3Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6490CB second address: 6490DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF20CB6C7C6h 0x0000000a jns 00007FF20CB6C7C6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6490DC second address: 6490EF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF20D28CF3Ch 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6493B4 second address: 6493B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 649814 second address: 649832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007FF20D28CF45h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DD20 second address: 64DD35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jnl 00007FF20CB6C7CEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DD35 second address: 64DD52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF47h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DD52 second address: 64DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F9D6 second address: 61F9DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61FFA5 second address: 62000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edi 0x0000000b push esi 0x0000000c jng 00007FF20CB6C7C6h 0x00000012 pop esi 0x00000013 pop edi 0x00000014 mov eax, dword ptr [eax] 0x00000016 jp 00007FF20CB6C7E3h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ecx 0x00000021 push ebx 0x00000022 jmp 00007FF20CB6C7CCh 0x00000027 pop ebx 0x00000028 pop ecx 0x00000029 pop eax 0x0000002a mov dword ptr [ebp+122D353Ch], ecx 0x00000030 mov dx, di 0x00000033 push EA3B76BFh 0x00000038 pushad 0x00000039 push esi 0x0000003a jno 00007FF20CB6C7C6h 0x00000040 pop esi 0x00000041 pushad 0x00000042 push edi 0x00000043 pop edi 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620128 second address: 62012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62022D second address: 620231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620231 second address: 620235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620235 second address: 620258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007FF20CB6C7D1h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620258 second address: 620280 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF20D28CF3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FF20D28CF3Dh 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620280 second address: 62028A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62028A second address: 62028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62034D second address: 62035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 jo 00007FF20CB6C7C6h 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62035C second address: 620361 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6209DE second address: 6209E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6209E2 second address: 6209E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6209E8 second address: 6209EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6209EE second address: 620A07 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 jng 00007FF20D28CF3Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620B03 second address: 620B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FF20CB6C7CCh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FF20CB6C7C8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+1248F6F2h] 0x0000002d mov dword ptr [ebp+122D22A5h], edi 0x00000033 pushad 0x00000034 jbe 00007FF20CB6C7CBh 0x0000003a mov edx, 33D9469Dh 0x0000003f pushad 0x00000040 jne 00007FF20CB6C7C6h 0x00000046 mov dl, 5Fh 0x00000048 popad 0x00000049 popad 0x0000004a nop 0x0000004b jne 00007FF20CB6C7CAh 0x00000051 push eax 0x00000052 push ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FF20CB6C7D5h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620B7F second address: 5FF53B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FF20D28CF38h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov ecx, 48C9A353h 0x0000002b call dword ptr [ebp+122D2F02h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FF20D28CF3Ch 0x00000038 push edi 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FF53B second address: 5FF541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FF541 second address: 5FF546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBDB4 second address: 5DBDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E2F9 second address: 64E2FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E5A7 second address: 64E5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E5AB second address: 64E5C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF20D28CF3Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E84E second address: 64E852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E852 second address: 64E856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E856 second address: 64E877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E877 second address: 64E8B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF20D28CF38h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FF20D28CF40h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E8B2 second address: 64E8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FF20CB6C7C6h 0x0000000d jnp 00007FF20CB6C7C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E8C5 second address: 64E8DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF43h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65CB0D second address: 65CB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65CB13 second address: 65CB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FF20D28CF38h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65CB27 second address: 65CB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF20CB6C7C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65B876 second address: 65B87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65B9C8 second address: 65B9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65B9D3 second address: 65B9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BDAE second address: 65BDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D5h 0x00000009 popad 0x0000000a jnl 00007FF20CB6C7CAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BDD2 second address: 65BE03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FF20D28CF36h 0x00000009 jmp 00007FF20D28CF3Fh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF20D28CF3Fh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BE03 second address: 65BE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BE07 second address: 65BE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF45h 0x00000007 jmp 00007FF20D28CF41h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FF20D28CF36h 0x00000016 jmp 00007FF20D28CF3Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BE47 second address: 65BE53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BE53 second address: 65BE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BFBB second address: 65BFC5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65B5AC second address: 65B5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF20D28CF36h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C28A second address: 65C292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C292 second address: 65C296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C296 second address: 65C2A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C2A2 second address: 65C2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C2A8 second address: 65C2F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D5h 0x00000007 jnl 00007FF20CB6C7C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007FF20CB6C7E5h 0x00000019 jmp 00007FF20CB6C7D9h 0x0000001e jc 00007FF20CB6C7C6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C2F0 second address: 65C2F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C2F9 second address: 65C2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C2FF second address: 65C311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20D28CF3Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C45F second address: 65C465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C465 second address: 65C48A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF20D28CF3Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C5E9 second address: 65C5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF20CB6C7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65C5F3 second address: 65C615 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF20D28CF48h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6624BB second address: 6624F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FF20CB6C7C6h 0x00000011 jmp 00007FF20CB6C7D5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6624F0 second address: 6624FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6624FC second address: 662500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6613FA second address: 6613FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6613FE second address: 661402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 661402 second address: 66141A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20D28CF42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6615A7 second address: 6615CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007FF20CB6C7D8h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6615CB second address: 6615D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6616FB second address: 66171C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FF20CB6C7C6h 0x0000000b pop edi 0x0000000c jns 00007FF20CB6C7CAh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ebx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66171C second address: 661726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 661726 second address: 66172C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 661858 second address: 661861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 661861 second address: 661865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6647EF second address: 6647F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 664961 second address: 66496B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66496B second address: 66497A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FF20D28CF36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66497A second address: 66497E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66497E second address: 66499A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FF20D28CF3Ah 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66499A second address: 6649A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6649A0 second address: 6649A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667EB4 second address: 667EBE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF20CB6C7C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667EBE second address: 667EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667EC7 second address: 667ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667ECE second address: 667ED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667701 second address: 66776B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF20CB6C7CCh 0x0000000b jmp 00007FF20CB6C7D7h 0x00000010 popad 0x00000011 push edx 0x00000012 jmp 00007FF20CB6C7CCh 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop edx 0x0000001a popad 0x0000001b pushad 0x0000001c jbe 00007FF20CB6C7DEh 0x00000022 jmp 00007FF20CB6C7D6h 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 jmp 00007FF20CB6C7CDh 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6678F6 second address: 6678FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6678FF second address: 667905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667905 second address: 66791D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF20D28CF40h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66791D second address: 667923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66C3E9 second address: 66C3F7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66C3F7 second address: 66C3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66C3FD second address: 66C450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF20D28CF45h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF20D28CF3Fh 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jc 00007FF20D28CF36h 0x00000020 jmp 00007FF20D28CF48h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66C450 second address: 66C470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF20CB6C7CFh 0x00000009 jmp 00007FF20CB6C7CDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673554 second address: 673565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20D28CF3Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673565 second address: 673589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF20CB6C7D6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 671DE7 second address: 671E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF20D28CF49h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 671E09 second address: 671E0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 671E0E second address: 671E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6720DF second address: 6720E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6720E8 second address: 6720EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6723BB second address: 6723CD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF20CB6C7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FF20CB6C7C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6723CD second address: 6723E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6723E7 second address: 6723ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6723ED second address: 672411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF20D28CF43h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e jc 00007FF20D28CF3Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620593 second address: 620599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620599 second address: 62059E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62059E second address: 6205D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor dword ptr [ebp+1246AEC1h], ecx 0x00000012 mov ebx, dword ptr [ebp+1248F731h] 0x00000018 movsx ecx, si 0x0000001b mov dx, di 0x0000001e add eax, ebx 0x00000020 mov edx, dword ptr [ebp+122D356Bh] 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6205D5 second address: 6205DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6726B1 second address: 6726B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 675CA8 second address: 675CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67BDBB second address: 67BDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF20CB6C7D4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67BDD7 second address: 67BDDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C25D second address: 67C261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C89F second address: 67C8BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF47h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67C8BC second address: 67C8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67CBBA second address: 67CBBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67CBBE second address: 67CBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF20CB6C7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67CBCA second address: 67CBEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FF20D28CF46h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67CBEC second address: 67CC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67CE84 second address: 67CE8A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D147 second address: 67D14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D14F second address: 67D155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D6E0 second address: 67D6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF20CB6C7C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D6EB second address: 67D6F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D6F0 second address: 67D6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D6F6 second address: 67D71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FF20D28CF41h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jnp 00007FF20D28CF3Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6828B6 second address: 6828C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 681A15 second address: 681A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 681B48 second address: 681B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D0h 0x00000009 popad 0x0000000a jmp 00007FF20CB6C7D0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 681B6D second address: 681B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF20D28CF36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 681FA0 second address: 681FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF20CB6C7D1h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68216C second address: 682192 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007FF20D28CF36h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF20D28CF3Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007FF20D28CF36h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 682192 second address: 68219A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68219A second address: 6821A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6821A2 second address: 6821A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6821A6 second address: 6821AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6821AC second address: 6821B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 682321 second address: 68232D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF20D28CF36h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68232D second address: 682334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6909DB second address: 6909E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6909E4 second address: 6909F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF20CB6C7CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F552 second address: 68F558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F558 second address: 68F55C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F55C second address: 68F562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F562 second address: 68F580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF20CB6C7D5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F819 second address: 68F81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6901A3 second address: 6901BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20CB6C7D8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6901BF second address: 6901C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6901C5 second address: 6901CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6901CB second address: 6901E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF20D28CF3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6901E1 second address: 6901E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6901E9 second address: 6901F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 695E8A second address: 695E90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 695FCF second address: 695FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 695FD7 second address: 695FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 695FE1 second address: 695FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 695FE7 second address: 695FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF20CB6C7CFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 695FFF second address: 696003 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696179 second address: 696186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696186 second address: 696199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FF20D28CF36h 0x0000000d jbe 00007FF20D28CF36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696199 second address: 69619D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A375C second address: 6A3760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A3760 second address: 6A377A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF20CB6C7D4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A30FB second address: 6A30FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A30FF second address: 6A3105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A3270 second address: 6A3285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20D28CF41h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A9680 second address: 6A9684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A9684 second address: 6A9688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A9688 second address: 6A9695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A9695 second address: 6A96BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF20D28CF36h 0x0000000a jmp 00007FF20D28CF45h 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A96BB second address: 6A96CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF20CB6C7CAh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A91ED second address: 6A91F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A91F3 second address: 6A91F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A91F9 second address: 6A9205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FF20D28CF36h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A9205 second address: 6A921D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FF20CB6C7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 je 00007FF20CB6C7C6h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A921D second address: 6A9229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007FF20D28CF36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AAE55 second address: 6AAE5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AAE5B second address: 6AAE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20D28CF46h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AAE75 second address: 6AAE79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AAE79 second address: 6AAE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AACC8 second address: 6AACCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C022A second address: 6C022E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C022E second address: 6C024F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007FF20CB6C7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF20CB6C7D3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C024F second address: 6C0256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C0256 second address: 6C025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C0680 second address: 6C0695 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF20D28CF36h 0x00000008 jmp 00007FF20D28CF3Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C0800 second address: 6C0804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C0804 second address: 6C0808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C0808 second address: 6C0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF20CB6C7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e ja 00007FF20CB6C7CCh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C38CF second address: 6C38F0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF20D28CF36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FF20D28CF44h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C38F0 second address: 6C38F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C625D second address: 6C6271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF20D28CF36h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007FF20D28CF36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4DBD second address: 6E4DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E48FC second address: 6E4901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4901 second address: 6E4910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4910 second address: 6E491C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF20D28CF36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4A66 second address: 6E4A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jns 00007FF20CB6C7DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jnc 00007FF20CB6C7C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE30C second address: 6FE310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE310 second address: 6FE314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE314 second address: 6FE31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE31A second address: 6FE320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE320 second address: 6FE343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FF20D28CF40h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FF20D28CF36h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD292 second address: 6FD2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF20CB6C7D1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70283A second address: 702840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702840 second address: 702844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702844 second address: 702848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70420E second address: 704214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 704214 second address: 70421C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 703DC2 second address: 703DD2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF20CB6C7CAh 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705D11 second address: 705D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705D1A second address: 705D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705D1E second address: 705D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705D22 second address: 705D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705D2C second address: 705D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D33 second address: 4DA0D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D38 second address: 4DA0D78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 pushfd 0x00000007 jmp 00007FF20D28CF45h 0x0000000c adc ah, 00000066h 0x0000000f jmp 00007FF20D28CF41h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [eax+00000860h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D78 second address: 4DA0D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D7C second address: 4DA0D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61970A second address: 619711 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 463C1C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 60E30F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 638D8C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 463B13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 61FB51 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 463B0D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 699DAC instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4188

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2183447092.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFH
Source: file.exe, 00000000.00000002.2183447092.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00445BB0 LdrInitializeThunk,

0_2_00445BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: ,zProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
sergei-esenin.com	11%	Virustotal	Browse
eaglepawnoy.store	18%	Virustotal	Browse
spirittunek.store	14%	Virustotal	Browse
dissapoiznw.store	14%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
mobbipenju.store	14%	Virustotal	Browse
bathdoomgaz.store	14%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	0%	Virustotal		Browse
https://sergei-esenin.com:443/apif	11%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
https://sergei-esenin.com/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://clearancek.site:443/api	18%	Virustotal		Browse
clearancek.site	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
licendfilteo.site	16%	Virustotal		Browse
https://steamcommunity.com:443/profiles/76561199724331900	8%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://mobbipenju.store:443/api	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e	0%	Virustotal		Browse
https://studennotediw.store:443/api	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.c	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	Virustotal		Browse
https://sergei-esenin.com/api	12%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
sergei-esenin.com	172.67.206.204	true	true	11%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	false	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true	16%, Virustotal, Browse	unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown
https://sergei-esenin.com/api	true	12%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/	file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/apif	file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://clearancek.site:443/api	file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://eaglepawnoy.store:443/apiG	file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900	file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.c	file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://studennotediw.store:443/api	file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://mobbipenju.store:443/api	file.exe, 00000000.00000002.2183447092.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000002.2187048503.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176656738.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	file.exe, 00000000.00000003.2176656738.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176631949.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2183447092.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186999732.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.206.204	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528584
Start date and time:	2024-10-08 03:21:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:22:04	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
172.67.206.204	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	CatalogApp.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
steamcommunity.com	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://starylasfe.com.de/6SZZr/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	2ngxhElaud.exe	Get hash	malicious	Xmrig	Browse	172.67.173.168
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	172.67.158.129
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Copyright_Infringement_Evidence.exe	Get hash	malicious	Unknown	Browse	172.67.158.129
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	172.67.159.186
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	104.21.9.92
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	104.21.9.92
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	172.67.159.186
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
AKAMAI-ASUS	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	23.47.168.24
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Copyright_Infringement_Evidence.exe	Get hash	malicious	Unknown	Browse	96.17.64.189
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254 172.67.206.204
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948283082912695
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'872'384 bytes
MD5:	a897803efb207ab2eea75a982a75e9e3
SHA1:	f368e5e65ccc7e7a39443deab4a6655127c57d84
SHA256:	652d8125ed9fb67fa664e261af816b1eff355f9181131844502471f0bcc1c332
SHA512:	3a5aae7cd8ea0fade2e8ec71ed9fa98c3d85c44829246bd42fe4bd81d65a2ef421cdf898c1d439ae1e9be28b8905f76811fbc1ad2a8040a181c8bc9d2eb8caec
SSDEEP:	49152:BrKqLmurM8HIFGGNnUee+slJs1oj9Uqdo+ZnQSPqUfNF:BrZIUzGR0fs1oj+W71LNF
TLSH:	9485330A6F771CAAC8EC47F335A19429367C30FB46F0C9B9036D61C5598F2618696ECC
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................K...........@..........................0K...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b0000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF20C8A82DAh
pshufw mm3, qword ptr [eax+eax], 00h
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
jnc 00007FF20C8A8259h
cmp al, 64h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	a5b5515d661e0e9e41e72ef52a9cf444	False	0.9994907693894389	data	7.979615080227463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2af000	0x200	5379c9a857a2fa15fe4edf0496e2cd0e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hnuxtrfl	0x30f000	0x1a0000	0x19fa00	4c19b520d0acf0dbbc138562cf6e70bb	False	0.9942293233082706	data	7.954227730835619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yeisysqm	0x4af000	0x1000	0x400	31a59dd25029c6e8bd522c15d3eedca5	False	0.8076171875	data	6.242529930752685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b0000	0x3000	0x2200	4a47675e53df3be4860cdd9dd7a2a48b	False	0.07111672794117647	DOS executable (COM)	0.7030405824836049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T03:22:05.381587+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.6	62355	1.1.1.1	53	UDP
2024-10-08T03:22:05.395334+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.6	51493	1.1.1.1	53	UDP
2024-10-08T03:22:05.406186+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.6	62007	1.1.1.1	53	UDP
2024-10-08T03:22:05.416488+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.6	59242	1.1.1.1	53	UDP
2024-10-08T03:22:05.425571+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.6	59325	1.1.1.1	53	UDP
2024-10-08T03:22:05.435172+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.6	52858	1.1.1.1	53	UDP
2024-10-08T03:22:05.449141+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.6	54348	1.1.1.1	53	UDP
2024-10-08T03:22:05.516037+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.6	55446	1.1.1.1	53	UDP
2024-10-08T03:22:08.151651+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49712	172.67.206.204	443	TCP
2024-10-08T03:22:08.151651+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49712	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:22:05.654443979 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:05.654536009 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:05.654644966 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:05.676515102 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:05.676549911 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.430560112 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.430674076 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:06.434998989 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:06.435030937 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.435486078 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.476133108 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:06.486769915 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:06.531411886 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.945785046 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.945843935 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.945885897 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.945905924 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.945940018 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.945956945 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:06.945982933 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:06.946000099 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:06.946031094 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:07.046361923 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:07.046392918 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:07.046674013 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:07.046690941 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:07.046766996 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:07.058782101 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:07.058912992 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:07.058948040 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:07.058957100 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:07.059959888 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 8, 2024 03:22:07.059973955 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 8, 2024 03:22:07.226581097 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.226639986 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:07.226712942 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.227458000 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.227474928 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:07.700030088 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:07.700155973 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.701785088 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.701791048 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:07.702274084 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:07.703351021 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.703377008 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:07.703454018 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:08.151642084 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:08.151751995 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:08.151825905 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:08.152565002 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:08.152580976 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 8, 2024 03:22:08.152595043 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 8, 2024 03:22:08.152601957 CEST	443	49712	172.67.206.204	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:22:05.381587029 CEST	62355	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.391057968 CEST	53	62355	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.395334005 CEST	51493	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.403923035 CEST	53	51493	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.406186104 CEST	62007	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.415344000 CEST	53	62007	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.416487932 CEST	59242	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.424670935 CEST	53	59242	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.425570965 CEST	59325	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.434235096 CEST	53	59325	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.435172081 CEST	52858	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.444216967 CEST	53	52858	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.449141026 CEST	54348	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.459711075 CEST	53	54348	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.516036987 CEST	55446	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.525788069 CEST	53	55446	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:05.528745890 CEST	64157	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:05.537777901 CEST	53	64157	1.1.1.1	192.168.2.6
Oct 8, 2024 03:22:07.062860012 CEST	51654	53	192.168.2.6	1.1.1.1
Oct 8, 2024 03:22:07.225553989 CEST	53	51654	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 03:22:05.381587029 CEST	192.168.2.6	1.1.1.1	0x81ec	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.395334005 CEST	192.168.2.6	1.1.1.1	0x87e9	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.406186104 CEST	192.168.2.6	1.1.1.1	0xe5bd	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.416487932 CEST	192.168.2.6	1.1.1.1	0xbbc8	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.425570965 CEST	192.168.2.6	1.1.1.1	0xa6bb	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.435172081 CEST	192.168.2.6	1.1.1.1	0x116c	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.449141026 CEST	192.168.2.6	1.1.1.1	0x7a1b	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.516036987 CEST	192.168.2.6	1.1.1.1	0x88c4	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.528745890 CEST	192.168.2.6	1.1.1.1	0xa177	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:07.062860012 CEST	192.168.2.6	1.1.1.1	0xba2d	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 03:22:05.391057968 CEST	1.1.1.1	192.168.2.6	0x81ec	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.403923035 CEST	1.1.1.1	192.168.2.6	0x87e9	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.415344000 CEST	1.1.1.1	192.168.2.6	0xe5bd	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.424670935 CEST	1.1.1.1	192.168.2.6	0xbbc8	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.434235096 CEST	1.1.1.1	192.168.2.6	0xa6bb	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.444216967 CEST	1.1.1.1	192.168.2.6	0x116c	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.459711075 CEST	1.1.1.1	192.168.2.6	0x7a1b	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.525788069 CEST	1.1.1.1	192.168.2.6	0x88c4	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:05.537777901 CEST	1.1.1.1	192.168.2.6	0xa177	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:07.225553989 CEST	1.1.1.1	192.168.2.6	0xba2d	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:22:07.225553989 CEST	1.1.1.1	192.168.2.6	0xba2d	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.102.49.254	443	1808	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:22:06 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 01:22:06 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 01:22:06 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=f2b283b0ffc7c1a9d04a7643; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 01:22:06 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 01:22:07 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-08 01:22:07 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-08 01:22:07 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	172.67.206.204	443	1808	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:22:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-08 01:22:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-08 01:22:08 UTC	799	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:22:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hg6hdmbbvqgnuq657hl72uksvu; expires=Fri, 31 Jan 2025 19:08:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qVS68RgeafWxXA6arbc04%2BxfptRT6O7JeSnUV7IC5%2BqdPMGV5ZV4EXetf6zqWGrItsVNq9KivIW%2FA4xgEuGS4tWn28ZkHiPLqzREU0lhgOJAOaydUMaxLr4LuDmX5JO%2FUXYAKw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf2516e89c81982-EWR
2024-10-08 01:22:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-08 01:22:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:22:02
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	1'872'384 bytes
MD5 hash:	A897803EFB207AB2EEA75A982A75E9E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	74.4%
Total number of Nodes:	39
Total number of Limit Nodes:	3

Executed Functions

Function 0040FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 0040FCBE
V, xrefs: 0040FEDC
VY^_, xrefs: 0040FDFF
J|BJ, xrefs: 0041000D

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 43469e6f44eed1a9b836f895c9410751fc96af4312bcce639396a2a91bef0c87
Instruction ID: 46bfbcb27ba8ed3790a085b724e3df934ff4e710f175cd6eb4eed570374e9603
Opcode Fuzzy Hash: 43469e6f44eed1a9b836f895c9410751fc96af4312bcce639396a2a91bef0c87
Instruction Fuzzy Hash: EBD1AA7450C380ABD320DF14D59065FBBE1AB96748F14882EF4C89B352D37ACD89DB9A

Function 0040D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0040D2F1

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5ca0c4316ea36deb2113d3ec2a4b08de524bad3ea3d51cf739fc8558f848e27f
Instruction ID: 79ee8c8ceec45f10569ec0a45542d67f5cd49b0b3648e7fca99a1656154c7afa
Opcode Fuzzy Hash: 5ca0c4316ea36deb2113d3ec2a4b08de524bad3ea3d51cf739fc8558f848e27f
Instruction Fuzzy Hash: 2F415B7080D340ABD301BBA5D584A2FFBF5AF52708F148C6DE5C4A7292C339D8589B6B

Function 00445700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00445784

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 451ba736794f0e2f30a849843ab83a7da9f20e1e8286aac8e33d1c41455145f3
Instruction ID: c85136016a5953b7558c7414a3c459db971abdd3e4f37367334958bb3d5b1fc4
Opcode Fuzzy Hash: 451ba736794f0e2f30a849843ab83a7da9f20e1e8286aac8e33d1c41455145f3
Instruction Fuzzy Hash: DF119E7191C240EBD711AF28E840A1BBBF5AF86716F05883DE4C49B212D339D811CB9B

Function 00445BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00445BDE

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0044695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 004469C5

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6633439b2d620aad2fc70db867ecf2e0488191c6ea6818305a1740c0e6dcb0a1
Instruction ID: b580a72834fb4a93f0394d0152607d5e8ce86aad95610f9dfe43f3ae6cc63841
Opcode Fuzzy Hash: 6633439b2d620aad2fc70db867ecf2e0488191c6ea6818305a1740c0e6dcb0a1
Instruction Fuzzy Hash: 8B3187B15183019FE718DF14D8A062BB7E1EF86345F08882EE5C6A7262E3389904CB5A

Function 0041049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4ed68dea95914d3acff435751c268e57258c40ab59d6dd3abcb0da6bb8e230
Instruction ID: 128d79eef964fe1c6d2fcf0348367549390ec4233170401d85402ec08675fe94
Opcode Fuzzy Hash: 6b4ed68dea95914d3acff435751c268e57258c40ab59d6dd3abcb0da6bb8e230
Instruction Fuzzy Hash: 5B91AD75200B00DFD324CF25E890A17B7F6FF8A314B108A7DE8568BAA2D774E859CB54

Function 00410228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec469103406541d7740115c4a4ef00b1a79606deb7fca98e5e85681b27de974
Instruction ID: 556eb49ba36042942195999c17c6ad66ef69c2c7608a8e0819ce4132e362f307
Opcode Fuzzy Hash: 2ec469103406541d7740115c4a4ef00b1a79606deb7fca98e5e85681b27de974
Instruction Fuzzy Hash: AF717878200700DFD7248F21E894A27B7F6FF8A315F10897DE8468BA62D775E859CB64

Function 004499D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e37b05c5ee514fb84ad04cb82bf4d9c9880173c909dd8cb7c4cc63dc10bb943
Instruction ID: a8e5f0115ef9cc2a245a4522298d0b83bc8ae475ba7db3722f91b96381830f7f
Opcode Fuzzy Hash: 5e37b05c5ee514fb84ad04cb82bf4d9c9880173c909dd8cb7c4cc63dc10bb943
Instruction Fuzzy Hash: 84419134208380ABE714DA15E891B2FF7A5EB85714F14882EE58697352D339EC11DB5A

Function 004463B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 049d6deff16b302223b1f14eb6340c96fdf1b7666a75fc5c6e7645a80c0ef58d
Instruction ID: dc22281c18a1f9f830912eaee00e7b652779eb6edf7fc029966ea3178ced92ad
Opcode Fuzzy Hash: 049d6deff16b302223b1f14eb6340c96fdf1b7666a75fc5c6e7645a80c0ef58d
Instruction Fuzzy Hash: 2131E370209301BBEA24DB04CD82F3BB7A5EB86B55F64451DF581562D2D374E8118B5A

Function 00410EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f69c16b9c6494f60613f818dcde7c35e0fbda7122440d87ad7206b78ff61d5
Instruction ID: f7db70c198784b8fd72582c1e0f13720099aa33d4f886d554cd6c20bf7382887
Opcode Fuzzy Hash: 01f69c16b9c6494f60613f818dcde7c35e0fbda7122440d87ad7206b78ff61d5
Instruction Fuzzy Hash: 912139B4A0021A9FDB15CF94CC90BBEBBB1FF4A304F144819E811BB392C775A951CB68

Function 00443220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004432A6

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 50965382f7edf395daec22a3aa5bcca61c8fe5508095e75f982d05b7b9ec31b6
Instruction ID: 4bd1cfedf901e7341f085caf0d3c231c399316e56ace865125bd700590354386
Opcode Fuzzy Hash: 50965382f7edf395daec22a3aa5bcca61c8fe5508095e75f982d05b7b9ec31b6
Instruction Fuzzy Hash: 4B016D3450D3409BD701EF18E845A1ABBE8EF4AB02F054D6CE5C58B362D339DD60CB96

Function 00443202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00443208

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f4e883208b5af43432b1f7820fa52118579d54aaadfbe7b6ea97085ba09a0524
Instruction ID: d989c2ef34d315249fff67303ad5b66d5fc7957262475763486a37997b8dd8e1
Opcode Fuzzy Hash: f4e883208b5af43432b1f7820fa52118579d54aaadfbe7b6ea97085ba09a0524
Instruction Fuzzy Hash: CCB012304401005FDA141B00EC0AF003510EF00606F800070A100040B2D1619864C559

Non-executed Functions

Function 004323E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

3<, xrefs: 004332D6
:, xrefs: 004332DD
f@~!, xrefs: 004325FF
#v, xrefs: 0043344B, 00434861
mlc@, xrefs: 0043275C
%*+(, xrefs: 004340EF
aenQ, xrefs: 0043276A
fedc, xrefs: 00432782
Cx, xrefs: 0043453D
`tii, xrefs: 00432693
|}&C, xrefs: 00432F21
ggxz, xrefs: 00432685
{l`~, xrefs: 0043268C

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
API String ID: 0-2260822535
Opcode ID: 288c32f1ee5c0d8c2fa62d4a5f5e7d5e68641557a66df78d8a63ddbdc3cdc88d
Instruction ID: b62d31e9bc48c434d765a5eb2b2335fb0fecb87c67adb63626b6e5a33ec35a8f
Opcode Fuzzy Hash: 288c32f1ee5c0d8c2fa62d4a5f5e7d5e68641557a66df78d8a63ddbdc3cdc88d
Instruction Fuzzy Hash: D733CD70504B818BD7258F39C590763BBE1BF1A305F58999EE4DA8B782C339F806CB65

Function 0041DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

QNOL, xrefs: 0041E775
|, xrefs: 0041ECB1
LKJI, xrefs: 0041E6E6
()./, xrefs: 0041E9CA
:WUE, xrefs: 0041F6B7, 0041F6C6
WP, xrefs: 0041DCEF
`Y^_, xrefs: 0041E99E
<=2, xrefs: 0041EA01
%*+(, xrefs: 0041DE37, 0041DE46
AR, xrefs: 0041DD10
D, xrefs: 0041E846
xgfe, xrefs: 0041E71D
tuJK, xrefs: 0041E967
mjkh, xrefs: 0041E7D8
dcba, xrefs: 0041E728
89>?, xrefs: 0041E9F6
`onm, xrefs: 0041E733
DCBA, xrefs: 0041E887, 0041E896
@ONM, xrefs: 0041E6DB
<=:;, xrefs: 0041E930
lkji, xrefs: 0041E73E
T, xrefs: 0041F157
tsrq, xrefs: 0041E6FC
89&', xrefs: 0041E93B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 3aca602f0eebde9cb3c690e191d81ecc597cda58b696b57935bbcdc79f546c81
Instruction ID: 7598d05dc0c26532ac50cce47123b64bca39d2a776db515ded92a0dd69599683
Opcode Fuzzy Hash: 3aca602f0eebde9cb3c690e191d81ecc597cda58b696b57935bbcdc79f546c81
Instruction Fuzzy Hash: C0F289B45083819BD770CF15C484BEBBBE2BFD5304F54482EE8C98B252D7399985CB9A

Function 00429F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

/), xrefs: 0042A66D
?m,o, xrefs: 0042A13C
JG, xrefs: 0042AA27
]{, xrefs: 0042A1E7, 0042A1F3
hi, xrefs: 0042AB9D
kW, xrefs: 0042A380
WQ, xrefs: 0042A62B
_Y, xrefs: 0042A641
sm, xrefs: 0042A830
S], xrefs: 0042A636
WH, xrefs: 0042AA1C
CG, xrefs: 0042AA32
=], xrefs: 0042A36A
Gt, xrefs: 00429FF8
%e6g, xrefs: 0042A152
N[, xrefs: 0042A375
(a*c, xrefs: 0042A147

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 14b19aac752b5ef4ecb1b47a52897cdab9f3a50b0b99c601b98df2545d75d2c8
Instruction ID: b8799c557b819437a0217cb57af2b2d8c1cd9765bf6996d3a3f8de70d8c6b645
Opcode Fuzzy Hash: 14b19aac752b5ef4ecb1b47a52897cdab9f3a50b0b99c601b98df2545d75d2c8
Instruction Fuzzy Hash: 5752D7B410D385CAE230CF26D581B8EBAF1BB92700F608A1EE5ED9B255DB748045CF97

Function 00429510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

;IJK, xrefs: 0042983E
,A&C, xrefs: 0042982E
!E4G, xrefs: 00429836
?M0K, xrefs: 00429968
G'M!, xrefs: 00429ADB
B?Q9, xrefs: 00429B0B
B7U1, xrefs: 00429AFB
8;, xrefs: 00429B13
T#a-, xrefs: 00429AE3
pq, xrefs: 004299E0
X/R), xrefs: 00429AEB
O+f), xrefs: 00429634, 0042963D
2A"_, xrefs: 00429980
L3Y=, xrefs: 00429B03
z=Q?, xrefs: 00429826
G+X5, xrefs: 00429AF3

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 0d0ccd0bdecd6d97fec4c09f78e64ed9aa5e0acbf992196a221c48295110c105
Instruction ID: ee4a60710d18cb11db30f05fdba1beeaf38412a6d53f400a7105f7f03282ed4d
Opcode Fuzzy Hash: 0d0ccd0bdecd6d97fec4c09f78e64ed9aa5e0acbf992196a221c48295110c105
Instruction Fuzzy Hash: C0F130B4608380ABD310DF15E881A2BBBF4FB86748F944D1DF4D59B252D378D908CB9A

Function 0042DD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON

Download Yara Rule

Strings

upH}, xrefs: 0042DE8A, 0042E798, 0042DF4A
=]+_, xrefs: 0042E276
,Q?S, xrefs: 0042E26F
rB, xrefs: 0042E92E
)IgK, xrefs: 0042E261
B, xrefs: 0042E403, 0042E664, 0042E7BD
B, xrefs: 0042E9C5
Y9N;, xrefs: 0042E245
-M2O, xrefs: 0042E25A
<Y.[, xrefs: 0042E27D
%*+(, xrefs: 0042E143
n\+H, xrefs: 0042DDC0
hX]N, xrefs: 0042DDC7
{E, xrefs: 0042E323

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: B$%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$rB$upH}${E$B
API String ID: 0-748197983
Opcode ID: 8dd8184f901ffa707960a68774c03c711f670d44b17af35906b7a2a1120768e1
Instruction ID: 95927e5ec960cd0fc9cc5ab0011c1681f1657d8a6edd3bc0970d7a8ba8812c5f
Opcode Fuzzy Hash: 8dd8184f901ffa707960a68774c03c711f670d44b17af35906b7a2a1120768e1
Instruction Fuzzy Hash: 37920271E00215CFDB14CF69D8917AEBBB2FF49314F294269E411AB3A2D739AD01CB94

Function 0042098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

cah`, xrefs: 0042107E
9.5^, xrefs: 00420F9F
{, xrefs: 00421502
gce/, xrefs: 00421073
,#15, xrefs: 00420F94
&> &, xrefs: 00420F89
%*+(, xrefs: 00420A77, 00420A86
qrqp, xrefs: 00421089

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: e559b2e1f620d3013532da7281e31957f755eddf479bbbfbeefff96d06e81b4d
Instruction ID: 3aa8ba2cc02ea1078caa7484a92cc475bb0bf886c0a93d4d1f0146e2334c198f
Opcode Fuzzy Hash: e559b2e1f620d3013532da7281e31957f755eddf479bbbfbeefff96d06e81b4d
Instruction Fuzzy Hash: B962BBB56083818BD330CF14D491BABBBE1FF96314F44492EE49A8B792E3799840CB57

Function 00401000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402297
gfff, xrefs: 00402226
0123456789abcdefxp, xrefs: 00401587, 004015F8
0123456789ABCDEFXP, xrefs: 0040157D, 004015EB
-, xrefs: 004021ED
@, xrefs: 00402C40
gfff, xrefs: 004022E1

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 721d0dea7b3f362af23afb30706023090b4a2f792d074d4d600ed9755738e4f8
Instruction ID: cd4dd24a6e20378ca44ac048096463a85021fd6c5511c24f04d2b2dd35d767ca
Opcode Fuzzy Hash: 721d0dea7b3f362af23afb30706023090b4a2f792d074d4d600ed9755738e4f8
Instruction Fuzzy Hash: C2D204716083418FD718CE29C49436BBBE2AFC9314F188A3EE495AB3D1D778D945CB86

Function 005E10B0 Relevance: 10.4, Strings: 7, Instructions: 1674COMMON

Download Yara Rule

Strings

G-s, xrefs: 005E1CF8
/2, xrefs: 005E1519
Wp=z, xrefs: 005E1944
~W_?, xrefs: 005E1D57
my|, xrefs: 005E1DEB
Zz6, xrefs: 005E19FE
9x?, xrefs: 005E1FE7

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 9x?$Wp=z$Zz6$my|$~W_?$/2$G-s
API String ID: 0-2506908443
Opcode ID: 3f23e0cc2a4be3378ad72cd1dbf084bb66a4160a21b627153ac7657408f64aba
Instruction ID: 326fa1d360f838196f8a3de4c633eec1b45f37c491d2c0f233e87ce380195787
Opcode Fuzzy Hash: 3f23e0cc2a4be3378ad72cd1dbf084bb66a4160a21b627153ac7657408f64aba
Instruction Fuzzy Hash: E9B2E8F3A082049FE304AE2DEC8567AB7E9EFD4720F1A863DE6C5C7744E63558058693

Function 005D709D Relevance: 10.4, Strings: 7, Instructions: 1634COMMON

Download Yara Rule

Strings

S,o, xrefs: 005D8469
BR[K, xrefs: 005D7EA4
_w, xrefs: 005D7A58
C|?, xrefs: 005D82DD
$b|/, xrefs: 005D7E5B
]i46, xrefs: 005D80B9
BR[K, xrefs: 005D7E80

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: $b|/$BR[K$BR[K$S,o$]i46$C|?$_w
API String ID: 0-1192873825
Opcode ID: a7f6a20708b6eced0b8d4312286b9b19a5a249903fe386140f4dfc0c397991ae
Instruction ID: 388754a5d612bed20c2e3d4564c0835b7d6b604e8008ca1aa0e4392a3c97039c
Opcode Fuzzy Hash: a7f6a20708b6eced0b8d4312286b9b19a5a249903fe386140f4dfc0c397991ae
Instruction Fuzzy Hash: E3B217F360C2149FE3046E2DEC8567AFBE5EF94320F1A493DEAC487744EA3558058796

Function 005DF69E Relevance: 9.1, Strings: 6, Instructions: 1618COMMON

Download Yara Rule

Strings

b~7, xrefs: 005E0843
MZx, xrefs: 005DFEBB
u=~, xrefs: 005E0684
vxeT, xrefs: 005E03D5
y";S, xrefs: 005E0078
P2~Z, xrefs: 005DFE14

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: MZx$P2~Z$b~7$vxeT$y";S$u=~
API String ID: 0-3674273167
Opcode ID: 3c0649cf1f36a1332143502ff2ab8a3decb4a7e2d9c82046967c0088a1b8c62b
Instruction ID: 69782cf4835cb7ebec8830ca050097b9a33dde8153a2cf665281385dccf615d1
Opcode Fuzzy Hash: 3c0649cf1f36a1332143502ff2ab8a3decb4a7e2d9c82046967c0088a1b8c62b
Instruction Fuzzy Hash: 77B216F390C6009FE704AE29EC8567ABBE5EF94720F16893DE6C4C3744EA3598058797

Function 004012F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

@, xrefs: 00403531
0, xrefs: 00401E88
0, xrefs: 0040243E
i, xrefs: 004028EA
0, xrefs: 00401DC1

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: b4be53e809843589d8e12d706bec8b3671d847430c72f636258be89428d19354
Instruction ID: b05ed9cb7ee7ef56dea19278a51140160f2e555f63d5730ca8e87f3fd0da1f69
Opcode Fuzzy Hash: b4be53e809843589d8e12d706bec8b3671d847430c72f636258be89428d19354
Instruction Fuzzy Hash: E962E37160C3818BD318CE28C59476BBBE1AFD5304F148A2EE8D9A73D1D3B8D945CB46

Function 0040164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00401659
+, xrefs: 00401573
0123456789ABCDEFXP, xrefs: 0040164F
gfff, xrefs: 00401F3C
gfff, xrefs: 00401F57

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 030e067cca0a92ea68d816afc332590b0564ba22d6c41e6bf6924c1078abb7ff
Instruction ID: 417dd27fccb20db1f5e0eadc407f5a57fa67a4e5dbb72fb4b66b92ab233bc3a3
Opcode Fuzzy Hash: 030e067cca0a92ea68d816afc332590b0564ba22d6c41e6bf6924c1078abb7ff
Instruction Fuzzy Hash: 68F1C63060C3818FC715CE29C58425AFBE1AFD9304F188A6EE4D9973D2D778D945C796

Function 005DA620 Relevance: 6.7, Strings: 4, Instructions: 1660COMMON

Download Yara Rule

Strings

Z~s, xrefs: 005DAEB9
rB_, xrefs: 005DAFA3
c%w, xrefs: 005DB868
c%w, xrefs: 005DB84A

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Z~s$c%w$c%w$rB_
API String ID: 0-3378713367
Opcode ID: d558f8b029f83e9bfe3ed1c3a37d699447d968351e93c0866dcc1e1569409d08
Instruction ID: 4dba7209d3d9635e2ac29aba4e1f09ed52d2ceba0f5bf3f1e5463232c1e53de5
Opcode Fuzzy Hash: d558f8b029f83e9bfe3ed1c3a37d699447d968351e93c0866dcc1e1569409d08
Instruction Fuzzy Hash: 58C227F3508204AFE304AE2DDC8567AFBE9EF94720F1A892DEAC5C7744E63558058787

Function 005D1FD4 Relevance: 6.7, Strings: 4, Instructions: 1655COMMON

Download Yara Rule

Strings

=q, xrefs: 005D22AC
V>~, xrefs: 005D2881
{w, xrefs: 005D2503
{, xrefs: 005D2431

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: V>~$=q${${w
API String ID: 0-2056390917
Opcode ID: 0a4f7fd0f2726e53e91204ba1c036f39aee57e650ef29be5bb5684d5364e6544
Instruction ID: 8b48c04bfdaf86ef62d31c9fe3f63f75c82fc10b1cf1f2afa12d5c7c4bef5f94
Opcode Fuzzy Hash: 0a4f7fd0f2726e53e91204ba1c036f39aee57e650ef29be5bb5684d5364e6544
Instruction Fuzzy Hash: 8BB229F3A082049FE3046F2DEC8567ABBE9EF94720F1A493DEAC5C7744E53598048697

Function 004013A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 004013AD
0123456789ABCDEFXP, xrefs: 004013A3
gfff, xrefs: 00401F3C
-, xrefs: 00401F23
gfff, xrefs: 00401F57

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: d6ff6ad1442cbdf409bfd7bb2423588c0ae80e6daf78ca5f303bac0752b65028
Instruction ID: 6cbc22f93edf153c161d87e2591b62b60ea0519cfe1a440f238d171fe2dcc66d
Opcode Fuzzy Hash: d6ff6ad1442cbdf409bfd7bb2423588c0ae80e6daf78ca5f303bac0752b65028
Instruction Fuzzy Hash: B3D1C33160C7818FC715CE29C58426AFFE2AFD9304F08CA6EE4D9973A2D278D945CB52

Function 005D4453 Relevance: 5.9, Strings: 4, Instructions: 883COMMON

Download Yara Rule

Strings

Hd~, xrefs: 005D47F3
]W[w, xrefs: 005D462C
jQW], xrefs: 005D48F0
%>w7, xrefs: 005D4509

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %>w7$Hd~$]W[w$jQW]
API String ID: 0-266855519
Opcode ID: ba496bf2c2f8b1b135a75a3702895e4ce02327cf60b16f4df8c4491a843c74cd
Instruction ID: d8963626d89eaa662573dcda4373c31499e337012c595393defc5d6d6c5f72a4
Opcode Fuzzy Hash: ba496bf2c2f8b1b135a75a3702895e4ce02327cf60b16f4df8c4491a843c74cd
Instruction Fuzzy Hash: 98422DF360C2009FE308AE2DDC8567ABBE5EF94720F16493DEAC5C7744EA3558058697

Function 0042FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

:, xrefs: 00430087
m1s3, xrefs: 0042FEC3, 0042FECB
NA_I, xrefs: 0043036D
uvw, xrefs: 0042FE95

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: b62660549d7d5466138bf7e97f20cd149622b5e2b25ebe3ed4f31f9a3290e906
Instruction ID: fdd7576776d8b72f843bf6cb92d916ac8189bda2b139dc337dfc2b0011706fb0
Opcode Fuzzy Hash: b62660549d7d5466138bf7e97f20cd149622b5e2b25ebe3ed4f31f9a3290e906
Instruction Fuzzy Hash: 233298B0508380DFD311DF29D890B2BBBE1AB8A304F544A6DF5D58B2A2D339D905CF5A

Function 00413BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

ss, xrefs: 00413C79
%*+(, xrefs: 00413EC4
;z, xrefs: 00413C87
p, xrefs: 00413C80

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 5e8120861b6c8c9a9d7252038d103c1f272e7134b3ade776601f69ae90ead12a
Instruction ID: 6fc80aed2c1e0a9dc3f43241e4ce63db2781ad5d59c44e7210cfcd152288ec90
Opcode Fuzzy Hash: 5e8120861b6c8c9a9d7252038d103c1f272e7134b3ade776601f69ae90ead12a
Instruction Fuzzy Hash: 37026AB4810B00EFD720EF25D986756BFF0FB06301F50495DE89A9B686E334E459CBA6

Function 00422260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

sj, xrefs: 00422327
a|, xrefs: 00422317
hu, xrefs: 0042232F
lc, xrefs: 00422507

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: a5f5465c40ca4004003a53b646f261a7f83e54714ea5f2aafa89858e9954eabe
Instruction ID: c3b3f2264d870f4ebb2766b597ab1a54863f36b1782fdb9e99909218a97b24d6
Opcode Fuzzy Hash: a5f5465c40ca4004003a53b646f261a7f83e54714ea5f2aafa89858e9954eabe
Instruction Fuzzy Hash: 80A19A705083519BC320DF18D891A2BB7F0FF96354F948A0DE8D59B3A1E379D941CBAA

Function 005DDC5D Relevance: 5.3, Strings: 3, Instructions: 1563COMMON

Download Yara Rule

Strings

y1b., xrefs: 005DEE26
D<5y, xrefs: 005DDD28
^I], xrefs: 005DE7AF

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: D<5y$^I]$y1b.
API String ID: 0-1238093184
Opcode ID: d7fe7b7105b75b5924e0e4d1fccfa007b78428e68565809c609c2606711a3bff
Instruction ID: 1d056a57fd4e3512044b73c2ac00afbc02a78ee57b3266dd4d9c205ca0f826b2
Opcode Fuzzy Hash: d7fe7b7105b75b5924e0e4d1fccfa007b78428e68565809c609c2606711a3bff
Instruction Fuzzy Hash: F1B2F6F360C2049FE304AE2DEC8567ABBE5EF94720F1A493DE6C4C7744EA3598058697

Function 0042D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 0042D9EA
KV, xrefs: 0042D97D
CV, xrefs: 0042D98B
T>, xrefs: 0042D984

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: c69b9ea6594a5c43ac04cb82c4969c9d22671953c70c58e81f226922327a0ad4
Instruction ID: 1fc607af9f9b46601215feea3d69c1686b23e8378f7f834930e827da9cd2d499
Opcode Fuzzy Hash: c69b9ea6594a5c43ac04cb82c4969c9d22671953c70c58e81f226922327a0ad4
Instruction Fuzzy Hash: 058185F4800B459BCB20DFA6D28516EBFB1FF06300F60560DE486ABA55C334AA55CFE6

Function 0042AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 0042AD07, 0042AD13
lk, xrefs: 0042ACBC
(g6e, xrefs: 0042ACA1
4c2a, xrefs: 0042ACA9

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 1c609d9cff232e5a0af7e6d07d86df279bf5132a1e312e2be22a14c0b30ee65f
Instruction ID: 499d2424b5971e3583fcab3f5083c3ce6c56a80dfd5f6d5d023e1b5e7aa1d845
Opcode Fuzzy Hash: 1c609d9cff232e5a0af7e6d07d86df279bf5132a1e312e2be22a14c0b30ee65f
Instruction Fuzzy Hash: 0D41A974418381CBD7208F20E900BABB7F0FF86705F94595EE9C897261DB35D944CB9A

Function 005DC9AD Relevance: 4.8, Strings: 3, Instructions: 1006COMMON

Download Yara Rule

Strings

MZx, xrefs: 005DC9FA, 005DCA3E, 005DCA5A, 005DCA5B
Dn5w, xrefs: 005DCD01
rTSH, xrefs: 005DCCDC

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Dn5w$MZx$rTSH
API String ID: 0-2223629914
Opcode ID: ad8f7c837e95576804eb36ee3ee1814ff4e491ed3af824a1c3e5d2df1f38fbf8
Instruction ID: cc649c43eaab436e7980e9137bce0e8fd224935a8f27f01090e010d9ed81e9ec
Opcode Fuzzy Hash: ad8f7c837e95576804eb36ee3ee1814ff4e491ed3af824a1c3e5d2df1f38fbf8
Instruction Fuzzy Hash: A66205F3A08210AFE3046F19EC85A7ABBE5EF94720F1A493DE6C4C7740EA3558158697

Function 0042C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0042C8C3, 0042C8CB
%*+(, xrefs: 0042C9E4, 0042C9ED
~/i!, xrefs: 0042C537

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: b887c7a813782d3f3db4cab2b749ddd8dd2820ee6241bbee7a07772246314598
Instruction ID: 44547055704452f9425b5eac574bfa608e4ede704de850eebcbfe2c0abd5664c
Opcode Fuzzy Hash: b887c7a813782d3f3db4cab2b749ddd8dd2820ee6241bbee7a07772246314598
Instruction Fuzzy Hash: 91E196B5608340DFE3209F25E881B2FBBF5FB85345F48882DE58987262D739D815CB96

Function 00408590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 004089F0
), xrefs: 0040860C
), xrefs: 00408616

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 4c1adf4d3ddecd9b383167e0d128e5a9e29e2d1a0a5d0db94912750285bf625d
Instruction ID: 7b0a7d58c94c87a99718f8c1229f57d736b2b0b160ee577343842a101581e417
Opcode Fuzzy Hash: 4c1adf4d3ddecd9b383167e0d128e5a9e29e2d1a0a5d0db94912750285bf625d
Instruction Fuzzy Hash: 6AE1A0B1A087019FE310DF29C98172ABBE0BB94314F144A3EE595A73C1DB79E915CBC6

Function 00444040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

f, xrefs: 0044420C
%*+(, xrefs: 004440A4, 004440AD

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 93d2e41ff8fefeadeebd819e5298c232da756484c043851938903434b6986faa
Instruction ID: 1dbb99fb963de99ee2bc893b8278716bc4c005ff153f31ded2ad57cb65764550
Opcode Fuzzy Hash: 93d2e41ff8fefeadeebd819e5298c232da756484c043851938903434b6986faa
Instruction Fuzzy Hash: E3129A716083409FE714CF18C890B2FBBE1BBC9314F188A2EE5959B391D739E945CB96

Function 0043F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 0043F6E6
dg, xrefs: 0043F7F5

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 5e7917aa6247f90dedd4a8bd3b27a17cb2984e91ab52c3d44705268a951244dc
Instruction ID: 6ae7dce0ad983abf7900d3181f5f8632c76c5ca10ed028a3d540cf60f2f7df66
Opcode Fuzzy Hash: 5e7917aa6247f90dedd4a8bd3b27a17cb2984e91ab52c3d44705268a951244dc
Instruction Fuzzy Hash: B5F18871618301EFE704DF24D891B2BBBE5EF8A355F14992DF0858B2A1C778D845CB16

Function 004035B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 0040360E
Inf, xrefs: 00403607

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: da9e90a145ef812cea4a1aec4dc33611fe657f569e89895301b885733208a132
Instruction ID: 6ceba37c3847f3a21e5f7dfd76b95f0aa99e029ea9695d7cebe5c5a59df9a423
Opcode Fuzzy Hash: da9e90a145ef812cea4a1aec4dc33611fe657f569e89895301b885733208a132
Instruction Fuzzy Hash: A7D1E5B1B083119BC714CF29C88061BBBE5EBC8751F148A3EF999A73D0E675DD058B86

Function 0041FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 004200F6
BaBc, xrefs: 00420197

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: f1f7f391700c1d153706023ea2e533e08aec07d0302d054125fe460e923244f9
Instruction ID: d230743506545f5782a98731e1c799d14bce2cdc927b8726e2baabbede69311e
Opcode Fuzzy Hash: f1f7f391700c1d153706023ea2e533e08aec07d0302d054125fe460e923244f9
Instruction Fuzzy Hash: E051BDB16083918BD331CF14E481BABB7E0FF96324F48491EE4999B752E3789940CB5B

Function 00405160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 004054C8

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 1a3104665a896686286cc9304e356932cbdba3b59960855d34dbb0a767b4a652
Instruction ID: f798af1116e4e56436896d3e756fa3ef2500c0c78a1f1b0c67fbc30a84c05b68
Opcode Fuzzy Hash: 1a3104665a896686286cc9304e356932cbdba3b59960855d34dbb0a767b4a652
Instruction Fuzzy Hash: FA22E5B6A08B418BE7158E18D940327BBA2EFE0304F19857ED8596B3C1E779DC05DF4A

Function 004312D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 004315D1

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: b61978d3d93341b6ac8407628b46be532e54ceee81fccc373d7970c106cbddf4
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: F2F15971A083415FC728CF29C49062BBBE5AFC9354F1CC56EE899873A2D638DD05C79A

Function 0042AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0042B2D3, 0042B2DB

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 37cafe863b4f89af320eab88efddba18658d73785692783ef96bdbcdafed7ec0
Instruction ID: 0fd75199dc1aa885ded36683215275f1c8ba22a7f010f65c933c69834725850d
Opcode Fuzzy Hash: 37cafe863b4f89af320eab88efddba18658d73785692783ef96bdbcdafed7ec0
Instruction Fuzzy Hash: AEE1AA71608316CBC314DF24D49066FB3E2FF99781F95892DE8C587261E338E955CB8A

Function 00416EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00416EF3

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 33b1c315d260bad0b8e3ac21f7964a9bcd34e8407c260525714fec7b36bfd593
Instruction ID: 85633129a109d9bc5d56a312537f48470567f827b1c7151664611e2b818bd402
Opcode Fuzzy Hash: 33b1c315d260bad0b8e3ac21f7964a9bcd34e8407c260525714fec7b36bfd593
Instruction Fuzzy Hash: C0F1ABB5A00601CFD7249F24D981A67B3F2FF49314B158A3ED48787A91EB38F855CB48

Function 00427E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00428263, 0042826B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a4092e13e778e34b04cc06808d0b2ff098ae44615809634ea0b33624ce49d721
Instruction ID: efa8a082c798d5a37c7ff4dcfc0c229a1f8096c9b2ef8ab50f11e3d0533b3497
Opcode Fuzzy Hash: a4092e13e778e34b04cc06808d0b2ff098ae44615809634ea0b33624ce49d721
Instruction Fuzzy Hash: BBC1E071609220ABD710EB14E882A2FB7F4EF95354F88481EF8C597391E738DC11CB6A

Function 00428D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00429233, 0042923B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 43dcc4d9e14869a204de8d5745654a79a0cb570c903ce9a1249d2282df1aff0b
Instruction ID: 1aec477d14a888ddc875bca2887112a613fbb0e9c7f919902b2cc6268825eef4
Opcode Fuzzy Hash: 43dcc4d9e14869a204de8d5745654a79a0cb570c903ce9a1249d2282df1aff0b
Instruction Fuzzy Hash: FBD1CB74618302DFD704DF68E890A2AB7F5FF89306F49487DE88687292D738E854CB59

Function 00414487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

BIA, xrefs: 0041485E

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: BIA
API String ID: 0-2889811446
Opcode ID: 63acb43539c1e86641bd66092934af7c7bceb0e4454a5643371b063cd6b1cc2b
Instruction ID: 5810bd02c89ba6f5fd421194d045b67d56bac76770fd1b95320cb258b79d8155
Opcode Fuzzy Hash: 63acb43539c1e86641bd66092934af7c7bceb0e4454a5643371b063cd6b1cc2b
Instruction Fuzzy Hash: DCE110B5601B408FD321CF28D992B97B7E1FF46708F04886DE4AAC7752E739B8548B58

Function 00447FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00448167

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 15b2b2ab07f69552667d7f583541ff44cf9710102d34f9d46ca85e990446f3da
Instruction ID: 265a1762c149af991191c73cee0a85352707d765de514f9ac196fee0a4e4c42c
Opcode Fuzzy Hash: 15b2b2ab07f69552667d7f583541ff44cf9710102d34f9d46ca85e990446f3da
Instruction Fuzzy Hash: 1BD105329082614FD725CE18D89072FB7E1EB85718F158A3DE8A5AB380DB79DC06C7C6

Function 00446CBF Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"pD, xrefs: 00447015

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "pD
API String ID: 0-2584131555
Opcode ID: 28a0d93d355116fb3295649300160d74ed16edcc1cb531d5b2b9ccf0bd9ae7a4
Instruction ID: 8ceaa78ac2b3e36bbd3b6b550e28527cb7310c98fb775494a323004d4214c83a
Opcode Fuzzy Hash: 28a0d93d355116fb3295649300160d74ed16edcc1cb531d5b2b9ccf0bd9ae7a4
Instruction Fuzzy Hash: CBD1F336618351CFC715CF38E89052ABBE2BB8A356F094A7DE891C7392D334DA44CB95

Function 0042CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0042CDC3, 0042CDCB

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 0b1a4559f8dcb7220c1ab6f89a0eb14625b5dcde67ce46eb09620a617cdcdb25
Instruction ID: 773845d1dcc6763c5d0d54bfbb32f15d90b8dee4bb5208f6d832f244d310cc0e
Opcode Fuzzy Hash: 0b1a4559f8dcb7220c1ab6f89a0eb14625b5dcde67ce46eb09620a617cdcdb25
Instruction Fuzzy Hash: 24B1F170A083118BD714DF14E880B2FBBE2EF85344F94492EE5C59B392E339D855CB9A

Function 0040A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0040A9C3

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: a958856ab47e8510be969e32e7272a2a50d1adde87e6b5caf9384530b62cadb5
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: A9B128712083819FD324CF28C88461BBBE1AFA9704F448E2DF5D997382D675EA18CB57

Function 0043FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0043FCA4, 0043FCAD

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 02107b29c4c561106bebe06264f74803c3b00a2e3de84e2ed4b2f39a2a4f0528
Instruction ID: e78c53032f789a93e697dd70c90d8eccbcd7da54d101782a3d2fee7d09881f57
Opcode Fuzzy Hash: 02107b29c4c561106bebe06264f74803c3b00a2e3de84e2ed4b2f39a2a4f0528
Instruction Fuzzy Hash: DB81EF71508300EBE710DF55E984B2BB7E5FB89706F04882EF5C587252D738E819CB6A

Function 0041D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0041D663, 0041D66B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 8c205a9275de143ede2518d9f0884a0e29e43b1db27561db001fe387963189c0
Instruction ID: 5ddc0e94daf0f12ed6da1a2ee88068810620b99d818c33262396bad69a83a160
Opcode Fuzzy Hash: 8c205a9275de143ede2518d9f0884a0e29e43b1db27561db001fe387963189c0
Instruction Fuzzy Hash: 2261C1B6904310EBD710AF18D882A6BB3B1FF94358F08052EF98597392E739D951C79A

Function 00444A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00444C33, 00444C3B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3be3595dc3a451bec4c2e8d2fb8f4e7e2dd0f2763735b32219318b6f16c3ffb2
Instruction ID: 783f1b0a37e952d407a6b3b9effdd2418d8a82931852daad831d1d438c34304a
Opcode Fuzzy Hash: 3be3595dc3a451bec4c2e8d2fb8f4e7e2dd0f2763735b32219318b6f16c3ffb2
Instruction Fuzzy Hash: 8D6100716083819BE710DF55C880B2BB7E6EBC4315F29892EE5C587392C739EC01CB5A

Function 00487555 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

Gqu, xrefs: 004875E3

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Gqu
API String ID: 0-1446506253
Opcode ID: 50e9b6a89533db628014db52a5d14860d12124f9b9376323674ef3a790b4aaf9
Instruction ID: c54b434811a27b18f2591019e6a901b76010cee4cf7645b919beb98a656136a4
Opcode Fuzzy Hash: 50e9b6a89533db628014db52a5d14860d12124f9b9376323674ef3a790b4aaf9
Instruction Fuzzy Hash: B2610BF3A1C2009BE3086E2CED9537ABBD6DF84310F1A463ED6C5C7784E97559048786

Function 0048AAD1 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

JT}, xrefs: 0048AB77

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: JT}
API String ID: 0-3446767353
Opcode ID: 1a65fc54c9ed932aa278da725c245a19c78ad1a4e4e7ecd7cd759017fa67f22f
Instruction ID: 71be1938c9e77cb43c72e3787f3d140a6265566d2fad85357d3a6c2e5a320990
Opcode Fuzzy Hash: 1a65fc54c9ed932aa278da725c245a19c78ad1a4e4e7ecd7cd759017fa67f22f
Instruction Fuzzy Hash: BE5134F39086184BF304AA79EC457BAB7D5EB94310F1B463DEAC4D3780E979A80586C2

Function 004F90A6 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

/mw{, xrefs: 004F925C

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: /mw{
API String ID: 0-1051950978
Opcode ID: 9160e93385e373c52a7f8557519942f16f93a24e437b077ef4e10248a06266b0
Instruction ID: 1bef59a2c8225182942dcc593b1cf7446ea876f68e3ce45a9efe8d51ab7caa71
Opcode Fuzzy Hash: 9160e93385e373c52a7f8557519942f16f93a24e437b077ef4e10248a06266b0
Instruction Fuzzy Hash: E35109F3A192145FE300696CECD5BA6B7D9DB94634F1B053EEE84DB380E9745C0482D2

Function 0040E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0040E333

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 7fb79119c8b7e9dc55afa4138464863e5f7e156fcefff6606c592a99b47a041b
Instruction ID: a8d446618b5ac78b74e0f479a1595a37ad9c47cf2c8743516828393e873c61e9
Opcode Fuzzy Hash: 7fb79119c8b7e9dc55afa4138464863e5f7e156fcefff6606c592a99b47a041b
Instruction Fuzzy Hash: 9B512837B1969047D3289A3E5C5126A7E870B93334B2DCBBFE9F19B3E1D53988124345

Function 00443920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004439E3, 004439EB

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a0512293a852150357ffe497ff99843de0c23ec793874d86353b61d924e360a6
Instruction ID: bb8897d947ada27b29517acb3c37188ee32ea08d1f20b14153425e25db8e3f3e
Opcode Fuzzy Hash: a0512293a852150357ffe497ff99843de0c23ec793874d86353b61d924e360a6
Instruction Fuzzy Hash: 0D51B2705083409BEB14DF15D890A2FBBE5EF89B06F14882EE4C697352C379DD10CB6A

Function 00411BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00411C3E

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: bf5552e4f83f3bf5aa9e4b1957c4ed33519c9f7afd665e70c400cb02b69d6293
Instruction ID: c9c07a0cc379112af2efaa1beaf16119b48b3fc99bbe8a65df57002b73cbbe79
Opcode Fuzzy Hash: bf5552e4f83f3bf5aa9e4b1957c4ed33519c9f7afd665e70c400cb02b69d6293
Instruction Fuzzy Hash: 574176B40083809BC7149F14D894A6FBBF0FF86314F04891DFAC59B2A1E73AC955CB5A

Function 0043FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00440033, 0044003B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 695a98923d08e951caefb1a1b8c3a966955c2760769573da38008749caa79d8b
Instruction ID: 90101232a002fe0423f53c68a4a49eb85c28bd640bcb5a70b1295c71ee4aa0b9
Opcode Fuzzy Hash: 695a98923d08e951caefb1a1b8c3a966955c2760769573da38008749caa79d8b
Instruction Fuzzy Hash: 5831FA71904301ABF710EB55EC81B3BB7E8EB45748F54482AFA8597252E339DC24C76B

Function 0042E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0042E6A2

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 3cf38b2fc3eb9455ebcb8f98ff7d5d1aefb3a0b4382cd21184165d351f226566
Instruction ID: 443694a2d7fffd6659701a112856bf4484a663f4f3e20cbbee785b9d0f15a78b
Opcode Fuzzy Hash: 3cf38b2fc3eb9455ebcb8f98ff7d5d1aefb3a0b4382cd21184165d351f226566
Instruction Fuzzy Hash: D831D7B5A00314CFC720DF96E88066FB7B4FB46305F54046ED446A7351D339E905CBAA

Function 00416F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0041703B

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 89ca5eb88c2ac5a0ddce704693cf7a57489f818b0fcfefdc58ec7f86393a03d0
Instruction ID: 027844ff935bf638db88eeaed96f7a46d2c5b9c4a72c4141dc0de37bd92b1546
Opcode Fuzzy Hash: 89ca5eb88c2ac5a0ddce704693cf7a57489f818b0fcfefdc58ec7f86393a03d0
Instruction Fuzzy Hash: AC413675204B04DBD7248F61D994B27BBF2FB0D705F14891DE58A9BBA2E339F8408B58

Function 0042E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0042E6A2

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 862d56043b264c22862a1ec78247a119e39eb061f87544c2dbe5dc6565f804bf
Instruction ID: 102b49ef6780576e64ee3fe9b67189943fa8a50513135ef8338e4f62339dde5e
Opcode Fuzzy Hash: 862d56043b264c22862a1ec78247a119e39eb061f87544c2dbe5dc6565f804bf
Instruction Fuzzy Hash: 2A21E5B1A00314CFC720DF96E99066FBBB5BB4A705F54082DD446A7351C339ED01CBAA

Function 00449CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00449D30

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 000981c556330f841b5e4ffae7b6b8e5be7eb112713ccfe2535daf26eb5d62b7
Instruction ID: 818b5f8549534591f74286548d62349d8c22a18e2492c9d395011d6e8e1bc340
Opcode Fuzzy Hash: 000981c556330f841b5e4ffae7b6b8e5be7eb112713ccfe2535daf26eb5d62b7
Instruction Fuzzy Hash: 393158B09093009BE714EF15D880A2BFBF9EF9A318F14892DE5C597251D339D904CBAA

Function 00414E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e2370c82495afbb5da02b3147ad993e32e069cbcc971f3435652260299df28
Instruction ID: 8fd0340bd707ea7b19efa3f669fbd8baeb691a357e0e8c42d6bbf02db1fb3c63
Opcode Fuzzy Hash: 51e2370c82495afbb5da02b3147ad993e32e069cbcc971f3435652260299df28
Instruction Fuzzy Hash: C8625BB4500B00DFD725CF24C980BA7B7F6AF8A704F54892ED49A87A51E778F844CB99

Function 0040BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 186c7ddd65fb6ed806475a707ed8c022973b57e0555601bec51f0d2498d542d0
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 9452C631908711CBC7259F18D4802BBB3E1FFD5319F294B3ED986A72D0D739A8558B8A

Function 00448652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2b2c046038f82c2e77fc91c826be418359d08c5e9c0b932f90c1d4c207e94f
Instruction ID: 126e7381f6ba36b275a2adc454d9867bc6f8e95c58020b46c3556e5a458ef853
Opcode Fuzzy Hash: df2b2c046038f82c2e77fc91c826be418359d08c5e9c0b932f90c1d4c207e94f
Instruction Fuzzy Hash: 0A22CE35608341DFD704DF68E89062EB7E1FB8A31AF09887DE5898B352D735D990CB4A

Function 004486F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc8ddbdece73a741bb44eb9e3a3546ed752b88302be233eb2a0e63bfe7dad18
Instruction ID: fc3519b7fe9d85be35bb9ea6ceeadaa6d1d8831ab60a2d176a84332582957cf7
Opcode Fuzzy Hash: 9fc8ddbdece73a741bb44eb9e3a3546ed752b88302be233eb2a0e63bfe7dad18
Instruction Fuzzy Hash: 43229D35608340DFD704DF68E89061EB7E1FB8A31AF09897DE5858B362D735D990CB4A

Function 0040B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e46b44ab80c96838bc845868810fc41c008ea86121d9247d5acbc9ded64e9c
Instruction ID: f660abdea3764ef75224a453578f69ad586b25faecc3018879683375e0b6d520
Opcode Fuzzy Hash: 31e46b44ab80c96838bc845868810fc41c008ea86121d9247d5acbc9ded64e9c
Instruction Fuzzy Hash: 1C52B070908B849FE7358B24C4847A7BBE2EB95314F14487EC5E616BC2C77DA885CB8D

Function 004071F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b06f627f8f7063155f207e74ffce46a74d4b27d2ae33735865de5c38f21a1d3
Instruction ID: dce882efa0af8dfaa9e8fed2dd92e6c4e0dcddce4d64d913bf323e6e7216d96e
Opcode Fuzzy Hash: 6b06f627f8f7063155f207e74ffce46a74d4b27d2ae33735865de5c38f21a1d3
Instruction Fuzzy Hash: 6552C53190C3458FCB15CF14C0906AABBE1BF89314F198A7EE89967391D778F949CB86

Function 00408FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36ebcf98d8d4f0e9805d01399b1ec58c44f4bd4c0ba52c3f76a0745df3e19c7
Instruction ID: df39f22bc3b61ed4e131eaad030085bf3f1370c0a2a99d77bc116fcef0082d90
Opcode Fuzzy Hash: e36ebcf98d8d4f0e9805d01399b1ec58c44f4bd4c0ba52c3f76a0745df3e19c7
Instruction Fuzzy Hash: 4C425479608301DFD708CF29D85075ABBE1BF89315F09886DE8858B3A2D739D985CF86

Function 00407BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a9ddde86f9f0d6dcf61a8da39fda9f839fcfb56b46b398fe7e1491a94c2c2e
Instruction ID: f925e650f15462237797a12770b5ca85eed47a02f4857113ecfc25cbdaf7bff1
Opcode Fuzzy Hash: 90a9ddde86f9f0d6dcf61a8da39fda9f839fcfb56b46b398fe7e1491a94c2c2e
Instruction Fuzzy Hash: 56322270918B118FC378CF29C690526BBF1BF85710B604A2ED6979BB90D73AF845CB19

Function 004489A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4d2d06583a4867ce53ef7b4b233667544b37a098f27e44a78d903d712d0507
Instruction ID: 8eeaaffe80390125b5b5a3dea48c0f5522d616ea497bdf2e1e528505aa446434
Opcode Fuzzy Hash: 9e4d2d06583a4867ce53ef7b4b233667544b37a098f27e44a78d903d712d0507
Instruction Fuzzy Hash: 61029B35608341DFD704DF68E88061EBBE1EF8A30AF09896DE5C587362C739D954CB9A

Function 00448A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ccf70efcdce68a81d18d4c330b751e636fd728b4d7f84a8bdd0c87c968ba24
Instruction ID: 39b73d9c880bc0453bb4fba64bb26e38f7385eb2a0c5f035a5eb2cc48f90b6f7
Opcode Fuzzy Hash: 57ccf70efcdce68a81d18d4c330b751e636fd728b4d7f84a8bdd0c87c968ba24
Instruction Fuzzy Hash: F3F1793560C340DFD704DF68D88061EBBE1AB8A30AF09896DE5C587362D73AD954CB9A

Function 00448C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcd70aa861826757dcf4a0ff5767080c4dc57fa0dcec9ab401952c696d0d7a0
Instruction ID: b5840e7bf28faeab620f401cdd79a5faa7fd95e1b9c2e9994a38db7631958a4a
Opcode Fuzzy Hash: efcd70aa861826757dcf4a0ff5767080c4dc57fa0dcec9ab401952c696d0d7a0
Instruction Fuzzy Hash: DEE1BF31608351CFD704DF28D88062AF7E1FB8A31AF09896DE5D98B362D736D950CB96

Function 0040A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: bc9ebcca4d2682143c138643588c976842c751480b9d38a50ae0194d89b3ecc6
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: C8F1CC766083418FC724CF29C88176BFBE6AFD8304F08882EE4C587791E639E955CB56

Function 00448E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ea36399913635720f7eca804cf48feac3ef7a0ee9054f341f9a032ce7899cc
Instruction ID: 6626d97705cc59ef8cec7b400ba989c8f995b30cd1077917194483012928cb48
Opcode Fuzzy Hash: a7ea36399913635720f7eca804cf48feac3ef7a0ee9054f341f9a032ce7899cc
Instruction Fuzzy Hash: 64D18C3460C350DFE704EF28D88062EFBE5AB8A309F09896DE4C587262D73AD850DB56

Function 00447AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab695292c8b8be27e531aa2b31291d186ec3fa8c2225d2167c1a821e12252e0c
Instruction ID: 881145a2b4fb3ec09d1cee487ac4dc56256cabcb1525ff9bbec25e688bd1491a
Opcode Fuzzy Hash: ab695292c8b8be27e531aa2b31291d186ec3fa8c2225d2167c1a821e12252e0c
Instruction Fuzzy Hash: 1CB108B2A083505BF324DB29CC8176BB7E5EFC5314F044A2EE99597382E739DC068796

Function 0040AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: d2403d84ba716687a06019219a59fa95c5745d245e603055db9b5dcc38cbcbed
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 05C17B72A087418FC360CF28DC96BABB7E1EB85318F08492DD5D9D6342E778A155CB4A

Function 00416536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df23909c41cde32429cf588f44ae7519038640b1dcdcb8a2e8fef1a0fde99c34
Instruction ID: 31139def315b3b071297ffd32429c80de5895b433564d6c03b9059eb5b83f971
Opcode Fuzzy Hash: df23909c41cde32429cf588f44ae7519038640b1dcdcb8a2e8fef1a0fde99c34
Instruction Fuzzy Hash: ADB114B4500B409FD321CF24DA81B57BBF2AF46704F14885DD8AA8BB52D339F845CB58

Function 00447710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 06d2a9b65d24c27b711c164a386eb5496c0494da89673a6ba353a6ebe4661ba0
Instruction ID: 2ea316395023120f122be281cfff918667d2b9d1f2747b625dbe3c1c2d79b963
Opcode Fuzzy Hash: 06d2a9b65d24c27b711c164a386eb5496c0494da89673a6ba353a6ebe4661ba0
Instruction Fuzzy Hash: A0918B71608301ABF720DB15D840B6FBBE5EB89354F548C2EF58497352E738E941CB9A

Function 0044A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689efab42bf1deff25129f5450809d5ad41b2a9e1c3f4feff4220443d8d60f79
Instruction ID: 2aac8c4bd8af5d6d4a68f5c37c4bd5a4b349b50d6c5df718b2b81b065439eb57
Opcode Fuzzy Hash: 689efab42bf1deff25129f5450809d5ad41b2a9e1c3f4feff4220443d8d60f79
Instruction Fuzzy Hash: F0819F342487018BE724DF28D890A2FB7E5FF49744F45896DE98587351E739EC20CB9A

Function 004364F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cd372a116d043efc028469314845027128994ef8c54f150f525e54f19af1d2
Instruction ID: 7add00d468d7fc0e7d281e84bfb75422a84ce82d2e356259546b1a903ef3d468
Opcode Fuzzy Hash: c1cd372a116d043efc028469314845027128994ef8c54f150f525e54f19af1d2
Instruction Fuzzy Hash: BA711737B29A915BC3149D3C9C82396AA430BDB334F3ED37AA9B48B3E5D62D48064345

Function 004228E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a1dc1f05f7eea5014d6569e737efd72df379cdb3470560d34ae0e933f11a92
Instruction ID: edec9867881d6ff287b76f3451f303ac2d1b8a1b04d4d9c99188f1f87838e6dc
Opcode Fuzzy Hash: b9a1dc1f05f7eea5014d6569e737efd72df379cdb3470560d34ae0e933f11a92
Instruction Fuzzy Hash: 136189B46083609BD310AF15E851A2BBBF0FF96754F44491EE4C59B361E379C910CB6B

Function 00427C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb07391e1f15beb5cee761764f5164a6595a2a34182af6561bcba6c70bc5f2ad
Instruction ID: c684516fdec731d51aa7b55b6265a6e6cbd7c45fc046ab0e747ac5eb470703a1
Opcode Fuzzy Hash: cb07391e1f15beb5cee761764f5164a6595a2a34182af6561bcba6c70bc5f2ad
Instruction Fuzzy Hash: 3251CFB17182249BDB209F24EC82B7733B4EF85368F544959F9858B391F379E801C76A

Function 00431860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: a9f3c7d9876e4e9e1139d7bface3c38b8b3ba402ed6b70b7948fb8020bcb1766
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: E661D0316093019BD714DE28C58072FBBE2AFCD351F68E92FE4998B361D278DD41974A

Function 004382D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c84dc754691bb308a9dbcbaee720ee309334a0e93e615c3737e2285dce66845
Instruction ID: 7514fed5e8baa3187460d855a50001f6e6582a916078c06ef4d347cb8975da6c
Opcode Fuzzy Hash: 9c84dc754691bb308a9dbcbaee720ee309334a0e93e615c3737e2285dce66845
Instruction Fuzzy Hash: D9612827A5AB914BC314463C5C553A6EA831BEA330F3DD37FA8B18B3E5DD6E48024346

Function 004B544D Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987073512d380f73af0d8de1df3d0986c9effcdb001904926547d2174ea7bad9
Instruction ID: 20847503cfef919d58476d06fdea81970fa333382b526ca36596425173b36930
Opcode Fuzzy Hash: 987073512d380f73af0d8de1df3d0986c9effcdb001904926547d2174ea7bad9
Instruction Fuzzy Hash: 546145F3A0C7049BE3046E2DECC5776BBD5EB94320F1A453DE689C3784ED7A59058286

Function 004142FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbecff48ed410468ba6ec5c7fe6fc2da6d1d575f70e726eb7f2c80ebe16c79e
Instruction ID: dbe9b9105e78c10b04032105f5d92b5bf866c790b704ec770d86c5ea51ec40a5
Opcode Fuzzy Hash: ebbecff48ed410468ba6ec5c7fe6fc2da6d1d575f70e726eb7f2c80ebe16c79e
Instruction Fuzzy Hash: EA81E7B4810B00AFD360EF39D947757BEF4AB06301F40461DE4EA96695E7306459CBE7

Function 0043E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 40139072b8fd7f3a87b2210a9ea1d2632effae40a752c477479ed997710cdc42
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 75515DB15097548FE314DF69D49435BBBE1BB89318F044E2EE4E987390E379DA088B86

Function 00447520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80540f275ddad1829daa71fff5dc06cf750bd78cd7b1f4ce174ef5316dd7a525
Instruction ID: b6c7f918fba277121e248b3e30c976c6555ed576381192e624233195bb00eba0
Opcode Fuzzy Hash: 80540f275ddad1829daa71fff5dc06cf750bd78cd7b1f4ce174ef5316dd7a525
Instruction Fuzzy Hash: FC51263160C200ABE7149E18DC90B3FB7E2EB89364F288A2DE8D557391D735EC028799

Function 005BF9CC Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf81a86afc655ae0065dd73c0bcf6201c6196c0236959dbb2616b19617e3e74
Instruction ID: 438d66c9f5370c9d79a5c7178bf00b93b89b023bdfd0be78e5440fc227091030
Opcode Fuzzy Hash: daf81a86afc655ae0065dd73c0bcf6201c6196c0236959dbb2616b19617e3e74
Instruction Fuzzy Hash: E651BDB7F5122A47F3180D29CC543A27693ABE1321F2F42788E5C6B7C5D97E5D0A6384

Function 005C44B5 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dff610ec6b7b23f4ecd044104a9665a29741fc151504444c3fd01cdef64e38
Instruction ID: 09c3973e6b3008cd98cab0ac80816f48cbfc629c0086929e6d5b115fb25689a2
Opcode Fuzzy Hash: d1dff610ec6b7b23f4ecd044104a9665a29741fc151504444c3fd01cdef64e38
Instruction Fuzzy Hash: 9F51F7F3A08100ABE718AE1DEC857BABBE6EFC4710F1A453DE3C587744E6384405C696

Function 00405A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a78ac94d1390233bb9526f82fc1eff28ca36686b96df76b17444273e567fcb9
Instruction ID: 0ed799a8487b399fded2f340fff8dd975d5b7d3f74c9c29d65f6183e1adce039
Opcode Fuzzy Hash: 9a78ac94d1390233bb9526f82fc1eff28ca36686b96df76b17444273e567fcb9
Instruction Fuzzy Hash: F451D1B1A047049FD714EF14D880927B7A0FF85328F15467EE895AB392D638EC42CF9A

Function 0042EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe23a9cfc353f88a6333ddc94c5e98f732be45deb68618c78fd0fb37925051f
Instruction ID: 08b1883dac8c3c53e1fedf1a444ca5330ddd3c20b8170c0ecfee2cb862c377ee
Opcode Fuzzy Hash: cfe23a9cfc353f88a6333ddc94c5e98f732be45deb68618c78fd0fb37925051f
Instruction Fuzzy Hash: 3641E474A00326DBDF20CF96EC907AEB7B0FF0A300F440149E941AB3A1DB389910CB99

Function 00449B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852409c1b41a7f812535eac543986e54a28c1ef97a198ad1917a38776f3955e9
Instruction ID: 59e6dc0846479520b23ed9e74e25dac48d835cf87bec0d39374df5fd6f28c7e2
Opcode Fuzzy Hash: 852409c1b41a7f812535eac543986e54a28c1ef97a198ad1917a38776f3955e9
Instruction Fuzzy Hash: 5D419D34208340ABE710DB15E9D0B2FB7E6EB85715F14882EF5899B352D339EC01DB6A

Function 00412030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a677d001378452f9222ddafdd89244ca075fbfc8bcdccc55e17e3a0b6c405d97
Instruction ID: 38ee3896e89061b6b9b4b7aad1c1923ed6004b4109221da60f1a77920c2f2a91
Opcode Fuzzy Hash: a677d001378452f9222ddafdd89244ca075fbfc8bcdccc55e17e3a0b6c405d97
Instruction Fuzzy Hash: 2041EA72A083654FD35CCF29C49027ABBE1AFC9300F09866FE5D6873D0DAB88995D785

Function 00411E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba195b4828959f65e00ce52dd80ddb8fbff997edeacb4fd00185acfab274216
Instruction ID: 0c840d80dc7db1cf292bb1f3d0b802efaca5aad10a1ee4d6f4b2c3aba18770a9
Opcode Fuzzy Hash: 1ba195b4828959f65e00ce52dd80ddb8fbff997edeacb4fd00185acfab274216
Instruction Fuzzy Hash: 4A41E1746083809BD320AB55C884B1EFBF5FB87749F14491DF6C4972A2C37AE8548B6A

Function 00448D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499e9c3a667b3ae8ec49e75ce645ca6de6dd0df058b6e6215779512e874a6000
Instruction ID: 1af04674c2d05881b2368191e4681a2de15ce0bc42faef33726db48b98ae243d
Opcode Fuzzy Hash: 499e9c3a667b3ae8ec49e75ce645ca6de6dd0df058b6e6215779512e874a6000
Instruction Fuzzy Hash: A541C031A0D2548FD304EF68C49052FFBE6AF9A300F098A2ED4D597391CB78DD018B86

Function 005C3136 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad1f1260990d2de500cef836e16c8ba03897bb2976886c552e289628957764c
Instruction ID: 15b4bcb0e529348545c2b7714d1889d27866ca773cf09ca8d77edb8ebf6a234d
Opcode Fuzzy Hash: cad1f1260990d2de500cef836e16c8ba03897bb2976886c552e289628957764c
Instruction Fuzzy Hash: 3D4125F3D081108BE744AE78DC55BAAB6D6AB94320F1F463DEEC8D3780E97D58054682

Function 0041D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bb738e1fbd457d8adb166dc3a1ef5cafc43d48fad0da79fed69c6e0ecee359
Instruction ID: 1fa252e5cddab810ed208244aa3e0b33b045eadf3a7020eac46e1ca9e4aa8002
Opcode Fuzzy Hash: 50bb738e1fbd457d8adb166dc3a1ef5cafc43d48fad0da79fed69c6e0ecee359
Instruction Fuzzy Hash: 26418EB5A483918BD730DF14C841BABB7B0FF96355F04096EE48A8B792D7788940CB5B

Function 006A03F9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a06860aa1a53c6a4298fc1c1b26511def98c1876d4ddbec513b03d42b10f0b
Instruction ID: fb837893b44007107920601b528b04ae6d01a6ead9145697dc1fd715394b9db2
Opcode Fuzzy Hash: 29a06860aa1a53c6a4298fc1c1b26511def98c1876d4ddbec513b03d42b10f0b
Instruction Fuzzy Hash: 773135B290C2009FE705BF29D88666EFBE5FF68710F060D2DE6C583650E6359894CB87

Function 0043F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: d285f7d01cb84dda45878e1b93d68cce68ace649d21f38f55e534956bd5bd8bb
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: B5212532D082244BC7289B1DC58053BF7F4EB9E704F06962EE8C4A7295E3399C1887E5

Function 004467EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bb0a0a16351f1bf1c6c1539f0de18b004dbbca40553b19ee82d601e5bf0c89
Instruction ID: 993183d09766b83cdd1ebd1949d189fdab97c3b975ebb919f492728a1d16def0
Opcode Fuzzy Hash: 22bb0a0a16351f1bf1c6c1539f0de18b004dbbca40553b19ee82d601e5bf0c89
Instruction Fuzzy Hash: 4F3133B05183829AE714DF14C49062FBBF0AF96389F54580DF4C8AB262D338D985CB9A

Function 00425E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad53ddb2add9dc148ccbfce0f9bbc6833265dcee60d8dc427d2cea672e24ee2f
Instruction ID: 7d31fed55378991ff43c1fca133364cbefcabbecef4d7c0f739c9ebd82c961a9
Opcode Fuzzy Hash: ad53ddb2add9dc148ccbfce0f9bbc6833265dcee60d8dc427d2cea672e24ee2f
Instruction Fuzzy Hash: 4E219F706082219BD310AF18D94192BB7F4EF96765F85891DF4D59B392E338C900CBAB

Function 004049A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 2766657a69684aaea989c89a71f9afbd72468d839b9abf4590859331ec77d487
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 2431C9B17482009BD7109E59D88052BB7E1EFC4358F18853EE99AA7381D239DC42CF4A

Function 004464B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4be7152b6fc8e7c35516a89d2ef9863e36723042a04817cdefcf23ca02a08de
Instruction ID: c35c485124030442b209bf42f5517a66b58d46b80538ea282a5c01156d2fd413
Opcode Fuzzy Hash: c4be7152b6fc8e7c35516a89d2ef9863e36723042a04817cdefcf23ca02a08de
Instruction Fuzzy Hash: 07214CB060C2409BE704EF19D59092EFBE5FB96745F19881DE4C593362C339E851CB6B

Function 0043B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 3dfbb7556907733fa2d0d5eee2533a12eec258710ed12801cc058efae9c9d3e0
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4A11E933A051D40EC3168D3C8441665BFA35AE7234F59539AF4B49B2D3D7268D8A839A

Function 00430B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: e4285af575ad2763c10c75501dec65d02de63dbc17c65792fa8213838d54c149
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 31015EB5B0030287E7209E9594E1B3BF2A86B8871CF18563EE80657342DB7DFC05C6A9

Function 0042D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6512b1c667dcaa1cc604779a64c1ce391463726a027d9a9669059550eb36de
Instruction ID: eb0acc647aeee065a7ab2730115a9d4438e2598d8163ab5722be64b90ddf106e
Opcode Fuzzy Hash: ab6512b1c667dcaa1cc604779a64c1ce391463726a027d9a9669059550eb36de
Instruction Fuzzy Hash: 91111FB0408380EFD3109F618484A1FFBE0EB96714F148C0DF1A49B251C379D815CF5A

Function 00406EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e877a776a04d6abd7e4e09befea2a77073528980a632510507c7b4451283a
Instruction ID: 87e4383082226b899d821e613073bac9a3681f81062fd21b26ff0f141ba4c8e6
Opcode Fuzzy Hash: 205e877a776a04d6abd7e4e09befea2a77073528980a632510507c7b4451283a
Instruction Fuzzy Hash: F7F0243E71821A0BF210CEAAE8C083BB396D7CA365B055539EA42E3341CD72E80281D8

Function 0043B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0041C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0041B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 7bcdc7b673b2e1a2ee767516192a998e9dc131d5fad93922a933dc60d1f52047
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 8CF0ECB16046105BDF22CA559CC0FB7BB9CCB8B354F194427F84597203D2655885C3E9

Function 00438220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc841d7a406348b8f463a63eb878eabe2c962c804589a40256072bab34e7f2b
Instruction ID: 5feb4677dc7f436114534582e8c0716e72c97c069455e78d6c85f3d503c4cf0a
Opcode Fuzzy Hash: bdc841d7a406348b8f463a63eb878eabe2c962c804589a40256072bab34e7f2b
Instruction Fuzzy Hash: 4501E4B44107009FD360EF29C485747BBE8EB08714F008A1DE8AECB680D774A5448B82

Function 00441440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: b18676745045eb505fd510958de9bebbe50600b5266405b821066c59320c88e1
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: E5D0A73160832146AF748E19E400977F7F0EAC7B11F49955FF686E3258D234DC81C2AD

Function 00411ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc908392028c27f7ecf30c78ebf6660cf32a01492e826555e3d9857673c97f4
Instruction ID: 3959462e875e7f5f94396396db4b6aac73ad51c8efe7b3f069b69f84421685e2
Opcode Fuzzy Hash: 5cc908392028c27f7ecf30c78ebf6660cf32a01492e826555e3d9857673c97f4
Instruction Fuzzy Hash: 41C08C38A581018BC204CF00FC96436B7B8A75730D700703ADA03FB232DE20C41A890E

Function 00446094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda25dfc225e456b4df2f38464500c90323af58adcbdfe6e488d54600b94eb62
Instruction ID: f94d4dffc396abd5ac4e187ca6448e1391fa96e7b5977d0cd3ebbfb4a86c5431
Opcode Fuzzy Hash: eda25dfc225e456b4df2f38464500c90323af58adcbdfe6e488d54600b94eb62
Instruction Fuzzy Hash: 0DC09B3465C20087A50CCF04D951475F3779B97757724B02EC90723257D134E517951E

Function 00411A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ade6ef58d6580d8cbff1d8d081264510f391430feb37eef4a632f827e8cdbb
Instruction ID: 0b10629d190f61f3c639e7349cba5d02659cdba629f4b06a673533951b9fa8f9
Opcode Fuzzy Hash: e1ade6ef58d6580d8cbff1d8d081264510f391430feb37eef4a632f827e8cdbb
Instruction Fuzzy Hash: 88C09B38B59041CBC244CF85E8D2472A7FC571720C710303B9703F7271DD60D419850D

Function 00445FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180879270.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2180861916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000460000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.00000000006F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180909733.000000000070F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182515257.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183234028.00000000008AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2183248894.00000000008B0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e2c6ed00036b488e97d7b66a9e7c4df7905aef658a94aa0b4bf4ae83390246
Instruction ID: 5d07e073f59bc1d9ab006b13b9bdb4d2a63cac6ada5626c8abf9decc6d651ca6
Opcode Fuzzy Hash: e7e2c6ed00036b488e97d7b66a9e7c4df7905aef658a94aa0b4bf4ae83390246
Instruction Fuzzy Hash: 24C09224B682008BA24CCF18DD51935F2BB9B8BA9BB14B03DC906A3257E134E522860C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 0040FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0040D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00445700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00445BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0044695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0041049B Relevance: .3, Instructions: 264
COMMON

Function 00410228 Relevance: .2, Instructions: 218
COMMON

Function 00443220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00443202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON