Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528603
MD5:	6e6fb447eceaa1eb52c8777a6f9aa897
SHA1:	3b373650d36a7de08168cdf7eff08e67b3b677c3
SHA256:	474f1a30307ad485850abf5f66db96c90f84d3f745c3b70130ec509be36af4be
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3356 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6E6FB447ECEAA1EB52C8777A6F9AA897)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["dissapoiznw.stor", "eaglepawnoy.stor", "mobbipenju.stor", "bathdoomgaz.stor", "licendfilteo.site", "spirittunek.stor", "clearancek.site", "studennotediw.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:02.148343+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.5	64633	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:01.925315+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.5	57487	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:01.961797+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.5	61270	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:01.947697+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.5	63472	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:02.320127+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.5	53237	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:01.938034+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.5	52229	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:02.309637+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.5	62339	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:12:02.012629+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.5	55154	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.3356.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.stor", "eaglepawnoy.stor", "mobbipenju.stor", "bathdoomgaz.stor", "licendfilteo.site", "spirittunek.stor", "clearancek.site", "studennotediw.stor"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: spirittunek.store	Virustotal: Detection: 13%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 13%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 17%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 13%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 49%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0024D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0024D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_002863B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00285700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0028695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_002899D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0024FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00256F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0027F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00241000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00284040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00286094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0026D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00262260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00262260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_002542FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0024A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0026E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0025B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0026C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00281440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0025D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_002864B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00287520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00256536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00269510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00248590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0026E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0027B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00287710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0026D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_002867EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_002628E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00283920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0025D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_002449A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00251A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00284A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00245A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00251ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00289B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0025DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0025DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00270B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00253BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00251BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0027FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00267C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0026EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0026AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0026AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00289CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00289CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0026CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0026CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0026CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0026DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0026FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00288D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00254E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00267E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00265E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0026AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00246EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0024BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00256EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00251E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00250EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00269F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0027FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00256F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00287FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00287FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00248FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0025FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00285FD6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:61270 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:57487 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:64633 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:55154 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:52229 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:63472 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:53237 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:62339 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.stor

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=9be4736368c59fb55776a050; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 02:12:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlYYKq( equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.2073082596.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071812749.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071927479.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/1
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2071927479.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/q
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00250228	0_2_00250228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00252030	0_2_00252030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00241000	0_2_00241000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010	0_2_00407010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00284040	0_2_00284040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E0E1	0_2_0040E0E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028A0D0	0_2_0028A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00245160	0_2_00245160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024E1A0	0_2_0024E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C61EE	0_2_003C61EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002471F0	0_2_002471F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401254	0_2_00401254
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004122C3	0_2_004122C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002412F7	0_2_002412F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002782D0	0_2_002782D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002712D0	0_2_002712D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024A300	0_2_0024A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024B3A0	0_2_0024B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002413A3	0_2_002413A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002723E0	0_2_002723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408461	0_2_00408461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A479	0_2_0040A479
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026C470	0_2_0026C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00254487	0_2_00254487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025049B	0_2_0025049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002764F0	0_2_002764F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002435B0	0_2_002435B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00248590	0_2_00248590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025C5F0	0_2_0025C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027F620	0_2_0027F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024164F	0_2_0024164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00288652	0_2_00288652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E96C1	0_2_004E96C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002886F0	0_2_002886F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041577D	0_2_0041577D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00365772	0_2_00365772
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410860	0_2_00410860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00271860	0_2_00271860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024A850	0_2_0024A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027E8A0	0_2_0027E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027B8C0	0_2_0027B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002889A0	0_2_002889A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026098B	0_2_0026098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FF9CC	0_2_003FF9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BA0F	0_2_0040BA0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041AA1D	0_2_0041AA1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00284A40	0_2_00284A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00287AB0	0_2_00287AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00288A80	0_2_00288A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025DB6F	0_2_0025DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D7BA5	0_2_002D7BA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00247BF0	0_2_00247BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00288C02	0_2_00288C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00286CBF	0_2_00286CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026CCD0	0_2_0026CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026DD29	0_2_0026DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026FD10	0_2_0026FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00268D62	0_2_00268D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0038ADB7	0_2_0038ADB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00254E2A	0_2_00254E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418E56	0_2_00418E56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CE6D	0_2_0041CE6D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00288E70	0_2_00288E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026AE57	0_2_0026AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024BEB0	0_2_0024BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00256EBF	0_2_00256EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002DBF09	0_2_002DBF09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024AF10	0_2_0024AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A3FF9	0_2_003A3FF9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00287FC0	0_2_00287FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00248FD0	0_2_00248FD0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0024CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0025D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995939047029703
Source: file.exe	Static PE information: Section: bkrfjoau ZLIB complexity 0.9945621253330373

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00278220 CoCreateInstance,

0_2_00278220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 49%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1900032 > 1048576

Source: file.exe

Static PE information: Raw size of bkrfjoau is bigger than: 0x100000 < 0x1a6400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.240000.0.unpack :EW;.rsrc :W;.idata :W; :EW;bkrfjoau:EW;rmllwxbw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;bkrfjoau:EW;rmllwxbw:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1df0eb should be: 0x1dd70b

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: bkrfjoau
Source: file.exe	Static PE information: section name: rmllwxbw
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049304E push 0FBE3B00h; mov dword ptr [esp], eax	0_2_00493076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00503017 push 33449BD0h; mov dword ptr [esp], edx	0_2_0050305C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ecx; mov dword ptr [esp], 4C5E08F8h	0_2_00407027
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ebx; mov dword ptr [esp], 24D2B124h	0_2_0040705E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push esi; mov dword ptr [esp], 2B064EE4h	0_2_00407069
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 0985E673h; mov dword ptr [esp], edi	0_2_00407089
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 63D04460h; mov dword ptr [esp], edi	0_2_00407096
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ebp; mov dword ptr [esp], esi	0_2_0040709A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ebx; mov dword ptr [esp], 5DFF7C91h	0_2_004070D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push edx; mov dword ptr [esp], 71422666h	0_2_004071C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 362D96F9h; mov dword ptr [esp], ebx	0_2_004071E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ecx; mov dword ptr [esp], edx	0_2_00407235
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 3F8B2A36h; mov dword ptr [esp], edx	0_2_0040727F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 6DE97919h; mov dword ptr [esp], edx	0_2_00407314
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 2C31BBD1h; mov dword ptr [esp], ebp	0_2_00407351
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push esi; mov dword ptr [esp], 00000000h	0_2_00407365
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 05259C87h; mov dword ptr [esp], edi	0_2_00407441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 3F593084h; mov dword ptr [esp], edx	0_2_00407458
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push edi; mov dword ptr [esp], 7F79F215h	0_2_00407461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push esi; mov dword ptr [esp], edx	0_2_00407469
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ecx; mov dword ptr [esp], ebx	0_2_00407507
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ecx; mov dword ptr [esp], 6632BAF2h	0_2_004075A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push esi; mov dword ptr [esp], edx	0_2_004075D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 5E5225CBh; mov dword ptr [esp], ebx	0_2_00407637
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ecx; mov dword ptr [esp], eax	0_2_004076BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push edi; mov dword ptr [esp], eax	0_2_00407710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push ecx; mov dword ptr [esp], 7FE102ABh	0_2_00407767
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 2AF78227h; mov dword ptr [esp], ebx	0_2_00407798
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push eax; mov dword ptr [esp], edx	0_2_0040783A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push edx; mov dword ptr [esp], ebx	0_2_004078E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407010 push 7A7B8C91h; mov dword ptr [esp], edi	0_2_0040794D

Source: file.exe	Static PE information: section name: entropy: 7.982694962288492
Source: file.exe	Static PE information: section name: bkrfjoau entropy: 7.954491518735738

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 421585 second address: 421598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2281115B56h 0x0000000a push edx 0x0000000b pop edx 0x0000000c jo 00007F2281115B56h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 421598 second address: 4215BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F228108A3F9h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F228108A3E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 40E8A8 second address: 40E8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4205B8 second address: 4205BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4205BE second address: 4205D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2281115B56h 0x0000000a popad 0x0000000b jo 00007F2281115B58h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4205D4 second address: 4205DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4205DC second address: 4205FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2281115B68h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4205FB second address: 420615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F228108A3EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4207BF second address: 4207C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4207C3 second address: 4207D0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4207D0 second address: 4207E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F2281115B5Ch 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4207E5 second address: 4207EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 420937 second address: 42093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424902 second address: 42493C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b movzx edx, cx 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122DB9ACh], ecx 0x00000016 call 00007F228108A3E9h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jnl 00007F228108A3E6h 0x00000024 js 00007F228108A3E6h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42493C second address: 424957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424957 second address: 42495B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42495B second address: 424971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424CA5 second address: 424CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424CA9 second address: 424CCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D2BD9h] 0x0000000e push 00000000h 0x00000010 sub dx, 27B7h 0x00000015 call 00007F2281115B59h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424CCD second address: 424CE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424CE1 second address: 424CFE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2281115B63h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424CFE second address: 424D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424D02 second address: 424D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 424D06 second address: 424D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 442F21 second address: 442F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4431CF second address: 4431D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4431D3 second address: 4431DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4431DE second address: 44320D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F228108A3EDh 0x0000000a popad 0x0000000b jo 00007F228108A42Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F228108A3F4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4434DB second address: 4434E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4434E6 second address: 4434EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4434EC second address: 4434F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4434F0 second address: 443515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F228108A3F1h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4437C7 second address: 4437D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F2281115B56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 443963 second address: 443974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007F228108A3E6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 443974 second address: 44397A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 44397A second address: 443980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 443980 second address: 443985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 443985 second address: 44398B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 443B2E second address: 443B44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 jo 00007F2281115B56h 0x0000000d popad 0x0000000e js 00007F2281115B5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 44413A second address: 44413F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 444CF3 second address: 444D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F2281115B56h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 444D06 second address: 444D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 449DD6 second address: 449DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4510F6 second address: 451114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F228108A3F7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4512A0 second address: 4512D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F2281115B67h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4512D3 second address: 4512D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4512D9 second address: 4512DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4512DD second address: 4512E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453C8C second address: 453CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 1AEA150Eh 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F2281115B58h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D2ACDh] 0x00000030 call 00007F2281115B59h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453CD5 second address: 453CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453CD9 second address: 453CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453CDF second address: 453CFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F228108A3F2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453CFC second address: 453D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F2281115B56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453D06 second address: 453D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453D0A second address: 453D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F2281115B58h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453D20 second address: 453D48 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F228108A3E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F228108A3F7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4543A0 second address: 4543C2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2281115B66h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 454843 second address: 454848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 454D52 second address: 454D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 454D56 second address: 454D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 454D5C second address: 454D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45531E second address: 4553BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F228108A3F8h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F228108A3E8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b adc esi, 1FD3D6BFh 0x00000031 push 00000000h 0x00000033 jno 00007F228108A3EBh 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F228108A3E8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 0000001Dh 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 xchg eax, ebx 0x00000056 jmp 00007F228108A3F7h 0x0000005b push eax 0x0000005c pushad 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4553BE second address: 4553CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2281115B56h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 456DF7 second address: 456DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 456DFB second address: 456E05 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 456E05 second address: 456E51 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F228108A3ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F228108A3E8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b or edi, 68DD838Bh 0x00000031 or dword ptr [ebp+122D243Bh], ecx 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a pushad 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4577A9 second address: 4577AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4577AD second address: 4577B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4582AB second address: 4582B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4582B0 second address: 4582DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228108A3ECh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F228108A3F7h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4582DF second address: 458337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2281115B5Fh 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d jno 00007F2281115B5Ch 0x00000013 jg 00007F2281115B5Ch 0x00000019 popad 0x0000001a push 00000000h 0x0000001c mov esi, 6CA7C3FEh 0x00000021 jmp 00007F2281115B64h 0x00000026 push 00000000h 0x00000028 mov di, CB0Ch 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458337 second address: 45833B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45833B second address: 458358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458D1C second address: 458D30 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4596B1 second address: 4596B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4596B7 second address: 4596D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4596D6 second address: 4596DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45A153 second address: 45A15D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45A15D second address: 45A1F4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2281115B5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F2281115B58h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 call 00007F2281115B5Bh 0x0000002c sbb di, 893Ah 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 jc 00007F2281115B56h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F2281115B58h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000018h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 xchg eax, ebx 0x00000057 push edx 0x00000058 jmp 00007F2281115B64h 0x0000005d pop edx 0x0000005e push eax 0x0000005f pushad 0x00000060 jl 00007F2281115B58h 0x00000066 pushad 0x00000067 popad 0x00000068 push eax 0x00000069 push edx 0x0000006a jp 00007F2281115B56h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45A1F4 second address: 45A1F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45BC70 second address: 45BCE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jmp 00007F2281115B69h 0x00000010 nop 0x00000011 mov di, si 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F2281115B58h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 push edi 0x00000031 sbb ebx, 788D1A68h 0x00000037 pop edi 0x00000038 mov dword ptr [ebp+12451F7Dh], ebx 0x0000003e sub edi, 11ACEB4Ah 0x00000044 push 00000000h 0x00000046 xor bx, E100h 0x0000004b xchg eax, esi 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jl 00007F2281115B56h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45BCE2 second address: 45BCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45BCE6 second address: 45BD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2281115B64h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45BEAD second address: 45BEB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45ECD9 second address: 45ECDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45ECDD second address: 45ECE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45ECE7 second address: 45ECEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45ECEB second address: 45ECF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45FCEF second address: 45FD6B instructions: 0x00000000 rdtsc 0x00000002 je 00007F2281115B5Ch 0x00000008 jp 00007F2281115B56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jnc 00007F2281115B60h 0x00000017 nop 0x00000018 jmp 00007F2281115B5Bh 0x0000001d push 00000000h 0x0000001f jmp 00007F2281115B66h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F2281115B58h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 mov edi, eax 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F2281115B5Dh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45EE55 second address: 45EE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45FD6B second address: 45FD87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2281115B67h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45EE5E second address: 45EE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45FF40 second address: 45FF46 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460F54 second address: 460F5E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F228108A3ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45FF46 second address: 45FF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460011 second address: 460015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46208B second address: 46208F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460015 second address: 460019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463D41 second address: 463DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push ebx 0x00000007 jns 00007F2281115B5Ch 0x0000000d pop ebx 0x0000000e nop 0x0000000f mov edi, 10649F4Dh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F2281115B58h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dword ptr [ebp+12451F0Bh], esi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F2281115B58h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463DAC second address: 463DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463DB2 second address: 463DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 465D51 second address: 465D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4662C4 second address: 4662C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4662C8 second address: 466312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F228108A3F4h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F228108A3F8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 466312 second address: 46632B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2281115B64h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46632B second address: 46638F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D3033h] 0x0000000e push 00000000h 0x00000010 add bx, C798h 0x00000015 mov edi, dword ptr [ebp+122D298Dh] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F228108A3E8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov di, bx 0x0000003a xchg eax, esi 0x0000003b jmp 00007F228108A3F6h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jp 00007F228108A3E8h 0x00000049 push edx 0x0000004a pop edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46638F second address: 466394 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46849B second address: 4684A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4684A1 second address: 4684B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jne 00007F2281115B56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 413888 second address: 41389E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228108A3F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41389E second address: 4138BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 468B8C second address: 468B96 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 469A76 second address: 469AF8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2281115B5Dh 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 movzx ebx, si 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F2281115B58h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 cld 0x00000033 call 00007F2281115B60h 0x00000038 pushad 0x00000039 mov ch, D0h 0x0000003b mov di, 6FF2h 0x0000003f popad 0x00000040 pop ebx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007F2281115B58h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 00000014h 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d push eax 0x0000005e push ebx 0x0000005f push eax 0x00000060 push edx 0x00000061 jnc 00007F2281115B56h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46650E second address: 46658C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F228108A3F0h 0x0000000f mov di, E392h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F228108A3E8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 jmp 00007F228108A3EBh 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov di, cx 0x00000043 mov eax, dword ptr [ebp+122D0819h] 0x00000049 mov dword ptr [ebp+122DB9ACh], edx 0x0000004f push FFFFFFFFh 0x00000051 mov bx, C1A9h 0x00000055 push eax 0x00000056 pushad 0x00000057 jp 00007F228108A3ECh 0x0000005d jng 00007F228108A3ECh 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463FC9 second address: 463FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46ACC9 second address: 46ACCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46ACCD second address: 46ACD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46ACD3 second address: 46ACDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46CB7B second address: 46CB95 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2281115B5Ch 0x00000008 ja 00007F2281115B56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F2281115B56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46DB8C second address: 46DB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46CD6C second address: 46CD76 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2281115B5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46CD76 second address: 46CE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F228108A3E8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push dword ptr fs:[00000000h] 0x00000028 mov edi, 44B04D40h 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 jg 00007F228108A3E8h 0x0000003a add dword ptr [ebp+122D248Fh], esi 0x00000040 mov eax, dword ptr [ebp+122D0F35h] 0x00000046 mov edi, dword ptr [ebp+122D2499h] 0x0000004c mov ebx, ecx 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push esi 0x00000053 call 00007F228108A3E8h 0x00000058 pop esi 0x00000059 mov dword ptr [esp+04h], esi 0x0000005d add dword ptr [esp+04h], 00000014h 0x00000065 inc esi 0x00000066 push esi 0x00000067 ret 0x00000068 pop esi 0x00000069 ret 0x0000006a jmp 00007F228108A3F3h 0x0000006f nop 0x00000070 jc 00007F228108A3EEh 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46CE06 second address: 46CE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 470FE1 second address: 470FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 470FEA second address: 470FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 476AA3 second address: 476ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F228108A3EAh 0x0000000a jg 00007F228108A409h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 476ADF second address: 476AE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 476AE5 second address: 476AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F228108A3EFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 476AFF second address: 476B29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F2281115B74h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479BA2 second address: 479BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479BA9 second address: 479BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F2281115B56h 0x0000000b js 00007F2281115B56h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479BBF second address: 479BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479D35 second address: 479D43 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479D43 second address: 479D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479EE3 second address: 479F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2281115B61h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F2281115B56h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479F06 second address: 479F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479F0A second address: 479F10 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479F10 second address: 479F1C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F228108A3EEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47A06C second address: 47A073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47E75F second address: 47E764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47E764 second address: 47E76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47E76A second address: 47E777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47E777 second address: 47E796 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2281115B5Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47E796 second address: 47E7C8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jo 00007F228108A3E6h 0x00000011 pop esi 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007F228108A3ECh 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f jo 00007F228108A3E8h 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47E7C8 second address: 47E7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4835A0 second address: 4835D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F228108A3EBh 0x0000000a jmp 00007F228108A3F2h 0x0000000f jmp 00007F228108A3F2h 0x00000014 popad 0x00000015 pushad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 483C93 second address: 483CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F2281115B5Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 483CA3 second address: 483CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007F228108A3E8h 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4840F4 second address: 4840FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4846ED second address: 4846F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F228108A3E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4846F9 second address: 4846FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 489C12 second address: 489C1C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A133 second address: 48A156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2281115B68h 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A156 second address: 48A179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228108A3F2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jnp 00007F228108A3ECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A179 second address: 48A1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2281115B67h 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F2281115B56h 0x00000011 jmp 00007F2281115B65h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A1B1 second address: 48A1CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A1CC second address: 48A1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A2E6 second address: 48A317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228108A3F5h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F228108A3F2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48996F second address: 489973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A64F second address: 48A661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007F228108A3E6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A79F second address: 48A7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2281115B56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A7AB second address: 48A7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494734 second address: 494739 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494739 second address: 494757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F228108A3E6h 0x0000000a jmp 00007F228108A3EFh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494757 second address: 494761 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2281115B56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4930BC second address: 4930C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4930C0 second address: 4930D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4930D8 second address: 4930DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4930DC second address: 4930EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F2281115B5Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493387 second address: 49338E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4934F3 second address: 49352B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2281115B56h 0x0000000a pop esi 0x0000000b jmp 00007F2281115B68h 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F2281115B5Dh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49352B second address: 493534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493534 second address: 49353A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4937FB second address: 49380E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 js 00007F228108A3E6h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493B0E second address: 493B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2281115B56h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2281115B68h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493B35 second address: 493B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493B39 second address: 493B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493CA7 second address: 493CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F228108A3E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F228108A3F0h 0x00000012 jbe 00007F228108A3E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493CCA second address: 493CEC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2281115B61h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 493CEC second address: 493D06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F228108A3EEh 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 438AB7 second address: 438ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 438ABD second address: 438AC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 438AC6 second address: 438AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2281115B56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 438AD1 second address: 438AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 438AD6 second address: 438AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F2281115B56h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 438AE9 second address: 438AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 492DED second address: 492E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F2281115B5Dh 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45269A second address: 4526A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4526A3 second address: 4526A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 452D15 second address: 452D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 452D20 second address: 452D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2281115B56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453013 second address: 4530AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F228108A3E8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Ah 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 jmp 00007F228108A3F3h 0x00000025 jmp 00007F228108A3F4h 0x0000002a push 00000004h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F228108A3E8h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 nop 0x00000047 push edx 0x00000048 jmp 00007F228108A3EFh 0x0000004d pop edx 0x0000004e push eax 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007F228108A3F0h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453601 second address: 45361B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2281115B65h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45361B second address: 453633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F228108A3E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4538D9 second address: 4538F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jc 00007F2281115B56h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4538F0 second address: 45395C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F228108A3E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F228108A3E8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 jmp 00007F228108A3EEh 0x0000002e xor di, BF7Fh 0x00000033 movsx ecx, dx 0x00000036 lea eax, dword ptr [ebp+12482211h] 0x0000003c jmp 00007F228108A3F3h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 je 00007F228108A3E6h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45395C second address: 453962 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453962 second address: 438AB7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228108A3E8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add cx, 9C14h 0x00000014 call dword ptr [ebp+122D2893h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4986E9 second address: 4986F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2281115B56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4986F4 second address: 498710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 498857 second address: 498864 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2281115B58h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 498864 second address: 49886A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4989A7 second address: 4989B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 498E2B second address: 498E36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 498E36 second address: 498E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F2281115B68h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 498E47 second address: 498E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49C823 second address: 49C829 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49C829 second address: 49C83F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F228108A3F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49EC6E second address: 49EC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49EC72 second address: 49EC76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 40CEF3 second address: 40CEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49E7F7 second address: 49E80E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F228108A3EDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49E80E second address: 49E812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49E812 second address: 49E82B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49E82B second address: 49E83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F2281115B56h 0x0000000e je 00007F2281115B56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49E83F second address: 49E843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49E843 second address: 49E859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F2281115B56h 0x00000010 jnp 00007F2281115B56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1461 second address: 4A146A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1776 second address: 4A1780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A18D5 second address: 4A18EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228108A3F3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A18EE second address: 4A18FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A33EF second address: 4A3412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F228108A3E8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A3412 second address: 4A3417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A3417 second address: 4A341D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A341D second address: 4A3421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A3421 second address: 4A343B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7214 second address: 4A7227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F2281115B56h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7227 second address: 4A7234 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F228108A3E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A73BA second address: 4A73BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A73BE second address: 4A73D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F228108A3EAh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A77EE second address: 4A77F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7939 second address: 4A7948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F228108A3E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7948 second address: 4A7955 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD630 second address: 4AD648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228108A3F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD648 second address: 4AD64E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD7A5 second address: 4AD7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD7AB second address: 4AD7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD7AF second address: 4AD7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD7B5 second address: 4AD7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F2281115B56h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD7C7 second address: 4AD7E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453321 second address: 45333C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2281115B56h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2281115B5Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45333C second address: 453343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4ADE19 second address: 4ADE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1905 second address: 4B192B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F228108A3E8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F228108A3F4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B192B second address: 4B192F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B192F second address: 4B1935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1935 second address: 4B1944 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2281115B5Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1944 second address: 4B194C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9647 second address: 4B9650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9650 second address: 4B9656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7E1F second address: 4B7E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F2281115B56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7E31 second address: 4B7E3B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F228108A3E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7E3B second address: 4B7E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8151 second address: 4B8157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8157 second address: 4B8165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2281115B5Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8165 second address: 4B816F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B816F second address: 4B8175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8CF4 second address: 4B8CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8FDD second address: 4B8FF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8FF4 second address: 4B902F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F228108A3E6h 0x00000008 jmp 00007F228108A3F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F228108A3F7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B902F second address: 4B9047 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2281115B56h 0x00000008 js 00007F2281115B56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F2281115B56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9047 second address: 4B904B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B92D9 second address: 4B9315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007F2281115B56h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F2281115B56h 0x00000015 popad 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a jmp 00007F2281115B69h 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jnp 00007F2281115B56h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B9315 second address: 4B932C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F228108A3E6h 0x00000008 jmp 00007F228108A3EDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD571 second address: 4BD577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD577 second address: 4BD590 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F228108A3ECh 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD590 second address: 4BD5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 js 00007F2281115B79h 0x0000000c jmp 00007F2281115B63h 0x00000011 pushad 0x00000012 js 00007F2281115B56h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD830 second address: 4BD834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD9C6 second address: 4BD9D5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD9D5 second address: 4BD9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDEFE second address: 4BDF02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDF02 second address: 4BDF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDF08 second address: 4BDF0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDF0D second address: 4BDF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDF1A second address: 4BDF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C997A second address: 4C997E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C997E second address: 4C99A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2281115B60h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F2281115B64h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C99A8 second address: 4C99B4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F228108A3EEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C99B4 second address: 4C99C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F2281115B56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C99C3 second address: 4C99C9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9FFD second address: 4CA007 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2281115B56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA40E second address: 4CA412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA412 second address: 4CA418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA418 second address: 4CA41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA41E second address: 4CA439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F2281115B5Dh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA58D second address: 4CA591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CAF59 second address: 4CAF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CAF5E second address: 4CAF82 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F228108A3FBh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CAF82 second address: 4CAF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CB6F5 second address: 4CB6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C94EA second address: 4C94FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2281115B5Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C94FD second address: 4C951A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F228108A3F8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D365A second address: 4D365E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D37AE second address: 4D37B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D38DF second address: 4D38E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D38E3 second address: 4D38E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D38E7 second address: 4D38F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007F2281115B56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D38F9 second address: 4D3933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F228108A3E6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a pushad 0x0000001b jng 00007F228108A3E6h 0x00000021 push eax 0x00000022 pop eax 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D53FC second address: 4D541A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2281115B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F2281115B5Eh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E1040 second address: 4E1062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F228108A3E8h 0x0000000c popad 0x0000000d push ebx 0x0000000e jne 00007F228108A3EEh 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E119E second address: 4E11A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E11A7 second address: 4E11C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F228108A3F5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2BCB second address: 4E2BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2BCF second address: 4E2BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2BDB second address: 4E2BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2BDF second address: 4E2BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F228108A3ECh 0x00000007 je 00007F228108A3E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2BFB second address: 4E2BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E42AD second address: 4E42D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F228108A3F9h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E42D3 second address: 4E42EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2281115B58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2281115B5Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E6243 second address: 4E6249 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E6249 second address: 4E626C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2281115B69h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E626C second address: 4E6270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5E24 second address: 4E5E2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5E2C second address: 4E5E36 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F228108A3EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5F7F second address: 4E5F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2281115B56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5F89 second address: 4E5F93 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F228108A3E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5F93 second address: 4E5FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push esi 0x0000000c jp 00007F2281115B56h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5FAC second address: 4E5FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5FB0 second address: 4E5FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F573F second address: 4F5743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F76D3 second address: 4F76D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F76D9 second address: 4F76DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F76DF second address: 4F76E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F76E5 second address: 4F76E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F76E9 second address: 4F76ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F76ED second address: 4F7705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jng 00007F228108A3E6h 0x00000011 jns 00007F228108A3E6h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F7705 second address: 4F771B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2281115B5Bh 0x00000008 jl 00007F2281115B56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FCD6D second address: 4FCD73 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 502146 second address: 50214E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50214E second address: 502154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 502154 second address: 50215A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50215A second address: 502160 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5026CB second address: 5026D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50282D second address: 50283F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F228108A3ECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50283F second address: 502845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 502845 second address: 502849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 502849 second address: 50284D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50284D second address: 502888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F228108A3E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F228108A403h 0x00000012 je 00007F228108A3E6h 0x00000018 jmp 00007F228108A3F7h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push ecx 0x00000021 push edx 0x00000022 pop edx 0x00000023 pushad 0x00000024 popad 0x00000025 pop ecx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 502A04 second address: 502A0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2281115B56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5066C0 second address: 5066C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5066C5 second address: 5066CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5063C8 second address: 5063CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4152D0 second address: 4152D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51BA67 second address: 51BA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007F228108A3E6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51BA77 second address: 51BA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51BA7D second address: 51BA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51BA82 second address: 51BA87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51BA87 second address: 51BA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515120 second address: 515125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5287E5 second address: 5287EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F228108A3E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5287EF second address: 528812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2281115B66h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 528812 second address: 528818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 543CD3 second address: 543CDD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2281115B56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 542E1A second address: 542E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 542E24 second address: 542E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2281115B56h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5433F3 second address: 543411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F228108A3F5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545489 second address: 54548D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54548D second address: 5454E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F228108A3F8h 0x0000000b jmp 00007F228108A3EFh 0x00000010 jnp 00007F228108A3FFh 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jbe 00007F228108A3E6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5454E5 second address: 5454F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F2281115B56h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549521 second address: 549525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AFD0 second address: 54AFD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D70DA6 second address: 4D70E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bl, 20h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 pushad 0x00000011 mov ch, C4h 0x00000013 mov cl, bl 0x00000015 popad 0x00000016 test ecx, ecx 0x00000018 pushad 0x00000019 call 00007F228108A3F4h 0x0000001e pop ebx 0x0000001f mov cx, 2CDDh 0x00000023 popad 0x00000024 jns 00007F228108A46Bh 0x0000002a pushad 0x0000002b mov ebx, eax 0x0000002d pushfd 0x0000002e jmp 00007F228108A3F2h 0x00000033 adc esi, 63980668h 0x00000039 jmp 00007F228108A3EBh 0x0000003e popfd 0x0000003f popad 0x00000040 add eax, ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F228108A3EBh 0x0000004b jmp 00007F228108A3F3h 0x00000050 popfd 0x00000051 pushfd 0x00000052 jmp 00007F228108A3F8h 0x00000057 and cl, 00000028h 0x0000005a jmp 00007F228108A3EBh 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D70E56 second address: 4D70E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 448914 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2A3AD6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 45270A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 4D6C85 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2000	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2828	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2073082596.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073082596.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071812749.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071927479.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071927479.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00285BB0 LdrInitializeThunk,

0_2_00285BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: fProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	49%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
spirittunek.store	14%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse
dissapoiznw.store	14%	Virustotal	Browse
eaglepawnoy.store	18%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
mobbipenju.store	14%	Virustotal	Browse
bathdoomgaz.store	14%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	0%	Virustotal		Browse
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://steamcommunity.com/1	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
clearancek.site	18%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
licendfilteo.site	16%	Virustotal		Browse
https://steamcommunity.com/q	0%	Virustotal		Browse
http://127.0.0.1:27060	0%	Virustotal		Browse
https://steamcommunity.com	0%	Virustotal		Browse
https://sketchfab.com	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	0%	Virustotal		Browse
https://www.google.com/recaptcha/	0%	Virustotal		Browse
https://steamcommunity.com/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	false	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true	16%, Virustotal, Browse	unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/1	file.exe, 00000000.00000002.2073082596.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071812749.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071927479.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.youtube.com	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.steampowered.com/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/q	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sketchfab.com	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://lv.queniujq.cn	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072861905.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2072001569.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2071812749.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071747079.0000000001014000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000002.2073133192.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2071747079.0000000001019000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528603
Start date and time:	2024-10-08 04:11:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:12:01	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	23.47.168.24
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Copyright_Infringement_Evidence.exe	Get hash	malicious	Unknown	Browse	96.17.64.189
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ctMI3TYXpX.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11282.4102.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.947564659776439
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'900'032 bytes
MD5:	6e6fb447eceaa1eb52c8777a6f9aa897
SHA1:	3b373650d36a7de08168cdf7eff08e67b3b677c3
SHA256:	474f1a30307ad485850abf5f66db96c90f84d3f745c3b70130ec509be36af4be
SHA512:	4b209b875d9edf7e88964122395758550fddb14912a177bcb9698a1fcee841017fae9aa7613d2419690bb8840f896f085f7925f9bab4322ebff9f006bd1dbac7
SSDEEP:	24576:tbChgdY+q2ebQFB2Nh9JDW1aYY4VQbUM4QFevnI3hjkEP99GLBL2rtfpRmiqGqCc:pGglqoB2N9WMB4VQUuAI2EP991ReI7i
TLSH:	069533056DA5E1CBE6C0583A4821B2C7B7BFDB36C9B605E0321165FA701C3FE675A613
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................K...........@.......................... L...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8bf000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F22809A2DBAh
paddusb mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F22809A4DB5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	645182e178095863ac6046094c0823f4	False	0.9995939047029703	data	7.982694962288492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2b7000	0x200	15e1bbceb6448eb1da78d68baf95aae3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bkrfjoau	0x317000	0x1a7000	0x1a6400	312752e69bdbcc8be77ada5d702a336c	False	0.9945621253330373	data	7.954491518735738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rmllwxbw	0x4be000	0x1000	0x600	e481d5101113757f4ad6745f11ed60cb	False	0.5865885416666666	data	5.091030307486954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4bf000	0x3000	0x2200	4c287b8b3603767f015e583e754ba1c3	False	0.00666360294117647	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T04:12:01.925315+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.5	57487	1.1.1.1	53	UDP
2024-10-08T04:12:01.938034+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.5	52229	1.1.1.1	53	UDP
2024-10-08T04:12:01.947697+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.5	63472	1.1.1.1	53	UDP
2024-10-08T04:12:01.961797+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.5	61270	1.1.1.1	53	UDP
2024-10-08T04:12:02.012629+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.5	55154	1.1.1.1	53	UDP
2024-10-08T04:12:02.148343+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.5	64633	1.1.1.1	53	UDP
2024-10-08T04:12:02.309637+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.5	62339	1.1.1.1	53	UDP
2024-10-08T04:12:02.320127+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.5	53237	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 04:12:02.440979004 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:02.441019058 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:02.441128969 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:02.442858934 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:02.442874908 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.094345093 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.094435930 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.098851919 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.098860979 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.099232912 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.144979954 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.157959938 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.199403048 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.558573961 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.558605909 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.558646917 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.558661938 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.558682919 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.558892012 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.558892012 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.558917046 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.559148073 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.646390915 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.646456957 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.646614075 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.646614075 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.646749020 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.648488998 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.648511887 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 04:12:03.648525000 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 04:12:03.648530006 CEST	443	49704	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 04:12:01.925314903 CEST	57487	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:01.933909893 CEST	53	57487	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:01.938034058 CEST	52229	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:01.946373940 CEST	53	52229	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:01.947696924 CEST	63472	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:01.956362963 CEST	53	63472	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:01.961796999 CEST	61270	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:01.971537113 CEST	53	61270	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:02.012629032 CEST	55154	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:02.021172047 CEST	53	55154	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:02.148343086 CEST	64633	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:02.157159090 CEST	53	64633	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:02.309637070 CEST	62339	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:02.318748951 CEST	53	62339	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:02.320127010 CEST	53237	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:02.332026005 CEST	53	53237	1.1.1.1	192.168.2.5
Oct 8, 2024 04:12:02.400800943 CEST	59573	53	192.168.2.5	1.1.1.1
Oct 8, 2024 04:12:02.407969952 CEST	53	59573	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 04:12:01.925314903 CEST	192.168.2.5	1.1.1.1	0x8f8a	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:01.938034058 CEST	192.168.2.5	1.1.1.1	0xba29	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:01.947696924 CEST	192.168.2.5	1.1.1.1	0x208a	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:01.961796999 CEST	192.168.2.5	1.1.1.1	0x99e4	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.012629032 CEST	192.168.2.5	1.1.1.1	0x5d90	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.148343086 CEST	192.168.2.5	1.1.1.1	0x33fc	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.309637070 CEST	192.168.2.5	1.1.1.1	0xbbf2	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.320127010 CEST	192.168.2.5	1.1.1.1	0xb3b3	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.400800943 CEST	192.168.2.5	1.1.1.1	0x95d9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 04:12:01.933909893 CEST	1.1.1.1	192.168.2.5	0x8f8a	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:01.946373940 CEST	1.1.1.1	192.168.2.5	0xba29	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:01.956362963 CEST	1.1.1.1	192.168.2.5	0x208a	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:01.971537113 CEST	1.1.1.1	192.168.2.5	0x99e4	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.021172047 CEST	1.1.1.1	192.168.2.5	0x5d90	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.157159090 CEST	1.1.1.1	192.168.2.5	0x33fc	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.318748951 CEST	1.1.1.1	192.168.2.5	0xbbf2	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.332026005 CEST	1.1.1.1	192.168.2.5	0xb3b3	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:12:02.407969952 CEST	1.1.1.1	192.168.2.5	0x95d9	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.102.49.254	443	3356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 02:12:03 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 02:12:03 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 02:12:03 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=9be4736368c59fb55776a050; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 02:12:03 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 02:12:03 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	0
Start time:	22:11:59
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x240000
File size:	1'900'032 bytes
MD5 hash:	6E6FB447ECEAA1EB52C8777A6F9AA897
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	50
Total number of Limit Nodes:	5

Executed Functions

Function 0024FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 0024FEDC
J|BJ, xrefs: 0025000D
VY^_, xrefs: 0024FDFF
t, xrefs: 0024FCBE

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 2561b7811ab2ca1ed5d69e0cd68c90a5d3b5b34afe43065a351cd82643fe6eca
Instruction ID: a167fe0a232f30f2268761d0d1dc9155dea669418621512f7c99615aed6cdecc
Opcode Fuzzy Hash: 2561b7811ab2ca1ed5d69e0cd68c90a5d3b5b34afe43065a351cd82643fe6eca
Instruction Fuzzy Hash: 23D1977452C3819BD314DF148990A2FBBE1AB92B45F18881CF8C98B252D336CD19DB97

Function 0024D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0024D2F0

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4272d8d802ab1159a02e4f9df582a609818d97c4fd223dc9dc256c85d9275cbc
Instruction ID: 63f8433ac3161120705f593963633038f444b1d9788c4e20ac6e3d6ee70ff43c
Opcode Fuzzy Hash: 4272d8d802ab1159a02e4f9df582a609818d97c4fd223dc9dc256c85d9275cbc
Instruction Fuzzy Hash: D741327452D380ABD705BF68D584A2EFBE5AF52705F148C0CE9C89B252C336E8248B67

Function 00285700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00285784

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ccec957d20f58c3e9f26b9c8a971be4944bbf4328cff9bb5d7b1b62b2b8f5112
Instruction ID: 6b2bb08251ad12d7715f75aa8357d1f96f4bcb8439133e9827436090800ebd91
Opcode Fuzzy Hash: ccec957d20f58c3e9f26b9c8a971be4944bbf4328cff9bb5d7b1b62b2b8f5112
Instruction Fuzzy Hash: E711A37952D250EBC301EF18E844A1FFBF9AF96710F058828E4C49B251D335D820CB97

Function 00285BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0028973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00285BDE

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0028695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 002869C5

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 35222f14698e9c7322f9156922b15525608da0eeefc0b93d796b32b426002042
Instruction ID: a526924b4c0f7085d8f89872620d6413c788dcf7effb995470138128b16bf071
Opcode Fuzzy Hash: 35222f14698e9c7322f9156922b15525608da0eeefc0b93d796b32b426002042
Instruction Fuzzy Hash: 8931ABB56293028FD718EF14D8A872BB7F1FF84344F18881DE5C6972A1E3359924CB56

Function 0025049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf50af8356dce35a0d54c9edf668bace58f7202475c75b703585be371ff1a880
Instruction ID: bc86dc935d5ed171dce00d63fb80df198393d77de89702bb66c8d9e0cd666fe3
Opcode Fuzzy Hash: cf50af8356dce35a0d54c9edf668bace58f7202475c75b703585be371ff1a880
Instruction Fuzzy Hash: 3C918A75211B00CFD324CF25EC98A16B7F6FF89315B118A6DE8568BAA1D731F829CB50

Function 00250228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be264d54f8fb8e2d39ed2c2b23401f6cda99d655a5bfed30455b1d8e2674ccd3
Instruction ID: d3100ca53e30598fe6fe9b88484ca55f9e622333b339894313dbf6445b6a4a03
Opcode Fuzzy Hash: be264d54f8fb8e2d39ed2c2b23401f6cda99d655a5bfed30455b1d8e2674ccd3
Instruction Fuzzy Hash: 16717A78211701DFD7248F21EC98B16B7F6FF49315F1089ADE8468B662D731E829CB50

Function 002899D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbf923b75d8f63168cbd6dfa6511eeb1090b7bd481f8e1f35c655e0db414dd3
Instruction ID: 334eaa40b13d4505f08bf5425e6b30cb02b0962292cbf688da6ff72b66be755b
Opcode Fuzzy Hash: ccbf923b75d8f63168cbd6dfa6511eeb1090b7bd481f8e1f35c655e0db414dd3
Instruction Fuzzy Hash: 2D41C33822A301ABD714EF55E890B3FF7E5EB85714F18882DF58A97291D331E861CB52

Function 002863B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29329a1277006f655a23f8daef56378bea2db0e21e2c05d3d538fa9e320d806c
Instruction ID: d22109256ecb1f317c8057e857abe700132ef5e2d43cf0b83e39c48b4af45ccd
Opcode Fuzzy Hash: 29329a1277006f655a23f8daef56378bea2db0e21e2c05d3d538fa9e320d806c
Instruction Fuzzy Hash: E531E67865A302BBE624EF04DD8AF3EB7A5FB80B15F64850CF181672D1D370AC218B52

Function 0042F205 Relevance: 4.6, APIs: 3, Instructions: 93
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00430B8B
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00430BB2
GetNativeSystemInfo.KERNELBASE(?), ref: 00430C09

Memory Dump Source

Source File: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: d9dce487079e9693c5a13b08d44b314ff43eb9e71e5344a205ea210cec0a2818
Instruction ID: db14a5af43f95fdb5abfa398c9bdfd3f1a23449a7d74c8a4d5ea550106c125ae
Opcode Fuzzy Hash: d9dce487079e9693c5a13b08d44b314ff43eb9e71e5344a205ea210cec0a2818
Instruction Fuzzy Hash: F2418CB150810EDFDF11DF60C848BEF7AA5EB19310F041626E98682A51E7BA5CB4DB4E

Function 00283220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 002832A6

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd226b19c890f9ff486b63c1d213622e070e27a24aa85f00a0ce424c553017f3
Instruction ID: 422e7d5be460f462e9e96af9ea312846321eae4dd53b2283c9ab4372bc48837c
Opcode Fuzzy Hash: cd226b19c890f9ff486b63c1d213622e070e27a24aa85f00a0ce424c553017f3
Instruction Fuzzy Hash: 38016D3450D2409BC701EF18E889A1ABBE8EF4AB10F05495CE5C98B361D335DD60DB96

Function 00283202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00283208

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c2a99cd9b3c02961427ce85357d58d06a33ad0426c87db7b91fcf79f62780ccf
Instruction ID: 194f1462cbeff2d4d40ca6dc7adb15d1194b786343a5280c7efba5328ca75442
Opcode Fuzzy Hash: c2a99cd9b3c02961427ce85357d58d06a33ad0426c87db7b91fcf79f62780ccf
Instruction Fuzzy Hash: 51B012300800005FDA041B00FC0EF007510EB00605F800050A100040B1D1615864D554

Non-executed Functions

Function 0025DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0025DE37, 0025DE46
<=2, xrefs: 0025EA01
lkji, xrefs: 0025E73E
:WUE, xrefs: 0025F6B7, 0025F6C6
WP, xrefs: 0025DCEF
tsrq, xrefs: 0025E6FC
dcba, xrefs: 0025E728
QNOL, xrefs: 0025E775
xgfe, xrefs: 0025E71D
<=:;, xrefs: 0025E930
@ONM, xrefs: 0025E6DB
DCBA, xrefs: 0025E887, 0025E896
`onm, xrefs: 0025E733
`Y^_, xrefs: 0025E99E
89&', xrefs: 0025E93B
mjkh, xrefs: 0025E7D8
AR, xrefs: 0025DD10
LKJI, xrefs: 0025E6E6
T, xrefs: 0025F157
D, xrefs: 0025E846
|, xrefs: 0025ECB1
()./, xrefs: 0025E9CA
tuJK, xrefs: 0025E967
89>?, xrefs: 0025E9F6

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 915fb03cd6e3e07b709fb7c780149e18e306464dc1cf3def5d257ab40e8b8e4a
Instruction ID: 2a8de016daff6978e3cb4bfcba58e13fe80281e808cf638aec3a66fb0f4901d0
Opcode Fuzzy Hash: 915fb03cd6e3e07b709fb7c780149e18e306464dc1cf3def5d257ab40e8b8e4a
Instruction Fuzzy Hash: 79F2AAB05193829FD774CF14C484BABBBE6BFD5305F14482CE8C98B281E73199A8CB56

Function 002723E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

f@~!, xrefs: 002725FF
|}&C, xrefs: 00272F21
:, xrefs: 002732DD
{l`~, xrefs: 0027268C
fedc, xrefs: 00272782
Cx, xrefs: 0027453D
3<, xrefs: 002732D6
ggxz, xrefs: 00272685
`tii, xrefs: 00272693
%*+(, xrefs: 002740EF
aenQ, xrefs: 0027276A
mlc@, xrefs: 0027275C

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 46d0fcd074eb2d20faff376acd99288bfc163a843f3b3b88886029086a47668d
Instruction ID: 2702f8c6fdf4fbf20525dfc8ec9b5a1df0a756718c10d11b2e5fd8b8bc127885
Opcode Fuzzy Hash: 46d0fcd074eb2d20faff376acd99288bfc163a843f3b3b88886029086a47668d
Instruction Fuzzy Hash: 1A33CC70524B81CBD725CF38C590B62BBE1BF16304F58899DD4DA8BB92C735E816CBA1

Function 00269F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

%e6g, xrefs: 0026A152
CG, xrefs: 0026AA32
hi, xrefs: 0026AB9D
_Y, xrefs: 0026A641
(a*c, xrefs: 0026A147
WQ, xrefs: 0026A62B
sm, xrefs: 0026A830
S], xrefs: 0026A636
WH, xrefs: 0026AA1C
N[, xrefs: 0026A375
]{, xrefs: 0026A1E7, 0026A1F3
/), xrefs: 0026A66D
=], xrefs: 0026A36A
JG, xrefs: 0026AA27
kW, xrefs: 0026A380
Gt, xrefs: 00269FF8
?m,o, xrefs: 0026A13C

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: c05deffdf8712f47e41fdfbeb8157feb83605b91cc62b2f019f809bd27ae255e
Instruction ID: 6c8d87cc9f6cb3b1a13c328f406316d50b326c3da3a424b5ecdaf64669856c0d
Opcode Fuzzy Hash: c05deffdf8712f47e41fdfbeb8157feb83605b91cc62b2f019f809bd27ae255e
Instruction Fuzzy Hash: E852C7B444D385CAE270CF25D581B8EBAF1BB92740F608A1DE5ED5B255DB708085CF93

Function 00269510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

2A"_, xrefs: 00269980
,A&C, xrefs: 0026982E
?M0K, xrefs: 00269968
!E4G, xrefs: 00269836
G'M!, xrefs: 00269ADB
B7U1, xrefs: 00269AFB
pq, xrefs: 002699E0
z=Q?, xrefs: 00269826
8;, xrefs: 00269B13
B?Q9, xrefs: 00269B0B
O+f), xrefs: 00269634, 0026963D
X/R), xrefs: 00269AEB
G+X5, xrefs: 00269AF3
L3Y=, xrefs: 00269B03
T#a-, xrefs: 00269AE3
;IJK, xrefs: 0026983E

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 7c391a15ce3579ad47396eccbd5b4b28336ecaeb36d518f13a8f881c9946117d
Instruction ID: 17ebfe5c7d17639740e3de921b97fd917f52f2dd681e1999562d4e24175e5a71
Opcode Fuzzy Hash: 7c391a15ce3579ad47396eccbd5b4b28336ecaeb36d518f13a8f881c9946117d
Instruction Fuzzy Hash: A8F150B0528381ABD310DF15D880A2BBBF8FB86B48F544D1CF4D59B252D734DA98CB96

Function 0026DD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON

Download Yara Rule

Strings

hX]N, xrefs: 0026DDC7
r&, xrefs: 0026E92E
)IgK, xrefs: 0026E261
&, xrefs: 0026E9C5
n\+H, xrefs: 0026DDC0
,Q?S, xrefs: 0026E26F
=]+_, xrefs: 0026E276
{E, xrefs: 0026E323
-M2O, xrefs: 0026E25A
<Y.[, xrefs: 0026E27D
&, xrefs: 0026E403, 0026E664, 0026E7BD
%*+(, xrefs: 0026E143
Y9N;, xrefs: 0026E245
upH}, xrefs: 0026DE8A, 0026E798, 0026DF4A

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: &$%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$r&$upH}${E$&
API String ID: 0-524279257
Opcode ID: 8c2e30e6c414a64b7441a4aa2144a62795c3e213792fe6188a5aff9659d4d144
Instruction ID: 9f42948e2b9f69a8ea1b77a4578655f4f60df730a9dbe69cc43b1cbb1a52c3ad
Opcode Fuzzy Hash: 8c2e30e6c414a64b7441a4aa2144a62795c3e213792fe6188a5aff9659d4d144
Instruction Fuzzy Hash: A0922775E10216CFDB08CF69D8417AEBBB2FF49310F298169E416AB391D731AD61CB90

Function 004122C3 Relevance: 12.8, Strings: 9, Instructions: 1577COMMON

Download Yara Rule

Strings

3]Cw, xrefs: 00413484
Gb5o, xrefs: 0041302F
`>o, xrefs: 004123E9
-ErL, xrefs: 00412F03
.1|, xrefs: 004133C1
~yo, xrefs: 00413435
0=s, xrefs: 0041271B
%W( , xrefs: 004128E6
;"{, xrefs: 004135D1

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %W( $-ErL$.1|$3]Cw$;"{$Gb5o$`>o$~yo$0=s
API String ID: 0-1149440118
Opcode ID: 65691bb8e7ed72d98be3efd3e9e9e73757ed11ce133277f932cd75d5468ae97d
Instruction ID: 730d6f2a578ba79c5543f80e9d7ff1c4772b494b60456c867dd1951e4b9de690
Opcode Fuzzy Hash: 65691bb8e7ed72d98be3efd3e9e9e73757ed11ce133277f932cd75d5468ae97d
Instruction Fuzzy Hash: 6FB2E5F36082049FE7046E2DEC8567AFBE9EF94720F1A493DEAC4C3744E63598058697

Function 0026098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

9.5^, xrefs: 00260F9F
%*+(, xrefs: 00260A77, 00260A86
{, xrefs: 00261502
qrqp, xrefs: 00261089
,#15, xrefs: 00260F94
&> &, xrefs: 00260F89
gce/, xrefs: 00261073
cah`, xrefs: 0026107E

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 616487bfb82ea15f46c3cc723ef5d0529fa8538dace64b43bd23c0bed9618b7b
Instruction ID: 4832dab1c2b3c166a5f7773bb335d0a9f5efa183aeb2b7ff392ec7839f8d70e3
Opcode Fuzzy Hash: 616487bfb82ea15f46c3cc723ef5d0529fa8538dace64b43bd23c0bed9618b7b
Instruction Fuzzy Hash: D162A8B16183818FD330CF14D895BABB7E1FF96314F08492DE49A8B681E77599A0CB53

Function 00241000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00242297
gfff, xrefs: 002422E1
gfff, xrefs: 00242226
0123456789ABCDEFXP, xrefs: 0024157D, 002415EB
-, xrefs: 002421ED
0123456789abcdefxp, xrefs: 00241587, 002415F8
@, xrefs: 00242C40

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 65ee87e200b7d7c60c95ffd3bce823d6f354242174027f6bf22f66decbff9ac4
Instruction ID: 8417cfd6d98b477e48f7ec1b0e0d866fa51e8d04e057992039a571c26672853d
Opcode Fuzzy Hash: 65ee87e200b7d7c60c95ffd3bce823d6f354242174027f6bf22f66decbff9ac4
Instruction Fuzzy Hash: 88D204316283528FD71CCE29C49036ABBE2AFD5314F188A2DF899C7391D774D959CB82

Function 0041577D Relevance: 10.4, Strings: 7, Instructions: 1648COMMON

Download Yara Rule

Strings

?8, xrefs: 00415853
^#\, xrefs: 004167E5
/kv, xrefs: 004168EE
Qr?, xrefs: 00416108
o }O, xrefs: 004163A6
Z_io, xrefs: 0041621E
\#\, xrefs: 00416802

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: /kv$?8$Qr?$Z_io$\#\$^#\$o }O
API String ID: 0-643045077
Opcode ID: 880426d716e804a236f29a261e0de079aefd94b4e4c23d641feeceb88cd1ffb4
Instruction ID: fe3305b6626e700b2c2a160a5539b25d1b1fa0c5fd1fe1c8c2dce77260928d8a
Opcode Fuzzy Hash: 880426d716e804a236f29a261e0de079aefd94b4e4c23d641feeceb88cd1ffb4
Instruction Fuzzy Hash: 84B208B360C204AFE3046E2DEC8567AFBE9EF94720F16493DE6C4D3744EA3598058697

Function 00408461 Relevance: 9.2, Strings: 6, Instructions: 1658COMMON

Download Yara Rule

Strings

TX7, xrefs: 00409191
!b., xrefs: 00408BF1
pC77, xrefs: 00408481
O<tv, xrefs: 004096CA
`rwW, xrefs: 00408892
pa_?, xrefs: 004093FD

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: !b.$O<tv$TX7$`rwW$pC77$pa_?
API String ID: 0-956097245
Opcode ID: cff401954f9aeb36e56251ddc7bf2fed30c5b9f746bd5fa2ecb16c22f6c1313d
Instruction ID: f3b7ff1b40f1586334b9007bc1cab6b43f2b0012c195c55dcc6445f6d6f01ee2
Opcode Fuzzy Hash: cff401954f9aeb36e56251ddc7bf2fed30c5b9f746bd5fa2ecb16c22f6c1313d
Instruction Fuzzy Hash: 3AB23AF3A0C204AFE3146E2DEC8567AFBE9EBD4320F1A453DEAC5C7744E93558018696

Function 00410860 Relevance: 9.1, Strings: 6, Instructions: 1589COMMON

Download Yara Rule

Strings

qdN, xrefs: 004111A8
q4, xrefs: 00411A29
T%{, xrefs: 00410BD3
aK{, xrefs: 00410C55
j]G, xrefs: 004109B2
Su>, xrefs: 00411B61

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: Su>$T%{$j]G$qdN$q4$aK{
API String ID: 0-3495625197
Opcode ID: 07fce7c77fe483544330f8e18e908d409b6a2fd13cb6502af5852919f83c1bc8
Instruction ID: c46019eaae5fb648b7c5dfcfde8256e53c06e972b53c1136568f67256076c599
Opcode Fuzzy Hash: 07fce7c77fe483544330f8e18e908d409b6a2fd13cb6502af5852919f83c1bc8
Instruction Fuzzy Hash: E7B2F9F390C2049FE304AE2DEC8567ABBE5EF94720F1A493DEAC4C3744E53598158697

Function 0040A479 Relevance: 8.7, Strings: 6, Instructions: 1219COMMON

Download Yara Rule

Strings

%=, xrefs: 0040A609
#fw, xrefs: 0040A755
dLQ, xrefs: 0040A792
@Vl~, xrefs: 0040AF9A
a{K, xrefs: 0040AE46
9d~Q, xrefs: 0040ABCB

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: #fw$9d~Q$@Vl~$dLQ$%=$a{K
API String ID: 0-3929880288
Opcode ID: ee7042dfba16342d8e44db66381b52be51ffd3a0ca12c5918598a4d6c16d0206
Instruction ID: 8a022d93313ffb727a7cab4c9891b223a97bd1a1f057ba265ece39424d9d2142
Opcode Fuzzy Hash: ee7042dfba16342d8e44db66381b52be51ffd3a0ca12c5918598a4d6c16d0206
Instruction Fuzzy Hash: 638236F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A453DEAC4C7744E93598058796

Function 00407010 Relevance: 8.6, Strings: 6, Instructions: 1097COMMON

Download Yara Rule

Strings

FXiK, xrefs: 004079AA
I+;r, xrefs: 0040739D
Co}, xrefs: 004073F2
m&_O, xrefs: 0040771D
Co}, xrefs: 004073DE
@eo=, xrefs: 0040796A

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: @eo=$Co}$Co}$FXiK$I+;r$m&_O
API String ID: 0-1309824505
Opcode ID: c4c015e02602a2d72c1577bb1644df339bdb8316978be4261db1d05155f2359c
Instruction ID: 474cc1bb66acf26ac0351948b8866e739dd3a950b28f90b4d5c3d03dd9e04817
Opcode Fuzzy Hash: c4c015e02602a2d72c1577bb1644df339bdb8316978be4261db1d05155f2359c
Instruction Fuzzy Hash: B772E7F36082049FE3046E2DEC8567AF7EAEFD4720F1A893DE6C4C7744E63598058696

Function 00418E56 Relevance: 7.9, Strings: 5, Instructions: 1672COMMON

Download Yara Rule

Strings

|ew, xrefs: 004190BE
"-c;, xrefs: 00418FE2
,6, xrefs: 00419BB7
Yp_, xrefs: 00419806
epz:, xrefs: 0041920F

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: |ew$"-c;$Yp_$epz:$,6
API String ID: 0-2588834461
Opcode ID: 9a6350fd476a37b2f150a4b19538e25abd5f3bb1fe437701bef53689ea509709
Instruction ID: d14da70acc91631955206ea8905fcd1b0d71b0e00288a7fe3b6c6756944f0c0d
Opcode Fuzzy Hash: 9a6350fd476a37b2f150a4b19538e25abd5f3bb1fe437701bef53689ea509709
Instruction Fuzzy Hash: 3EB217F360C2009FE3086E2DEC9567AFBE9EB94320F16893DE6C5C7744EA3558418697

Function 0041AA1D Relevance: 7.8, Strings: 5, Instructions: 1594COMMON

Download Yara Rule

Strings

Cje, xrefs: 0041AD56
{7>?, xrefs: 0041AEF3
wz>, xrefs: 0041B76C
Lo, xrefs: 0041AB8C
F9{, xrefs: 0041B2F6

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: Cje$F9{$Lo${7>?$wz>
API String ID: 0-1300894068
Opcode ID: 333d5821e80525150769c513cb3b1420ee1583cac9153cc7a0bc5d7943702cd4
Instruction ID: 8b7bab775def7803ac14f8fab6e706c3a5a087668624d95bdec93d8a7d70a562
Opcode Fuzzy Hash: 333d5821e80525150769c513cb3b1420ee1583cac9153cc7a0bc5d7943702cd4
Instruction Fuzzy Hash: FDB2F4F390C2049FE304AE29EC8567AFBE5EF94320F1A493DEAC5C7344E63598458697

Function 0040BA0F Relevance: 7.8, Strings: 5, Instructions: 1539COMMON

Download Yara Rule

Strings

Q*~, xrefs: 0040BB11
Ct, xrefs: 0040BC77
{K~k, xrefs: 0040BBAD
e9ld, xrefs: 0040C7A2
^d\, xrefs: 0040BC86

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: Q*~$^d\$e9ld${K~k$Ct
API String ID: 0-2449014224
Opcode ID: 87bf8be04b11c484a4dded9d81beecbe23907aa0bfc8f49ba10358a27fc81e4f
Instruction ID: fa32fba7e47a194a8b5efc17ff266d6fe9a51e4f79ca264d38c1b42af687b961
Opcode Fuzzy Hash: 87bf8be04b11c484a4dded9d81beecbe23907aa0bfc8f49ba10358a27fc81e4f
Instruction Fuzzy Hash: 07A2E7F360C2009FE708AE29EC8577ABBE5EF98720F164A3DE6D5C7740E63558018697

Function 002412F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

@, xrefs: 00243531
i, xrefs: 002428EA
0, xrefs: 00241DC1
0, xrefs: 00241E88
0, xrefs: 0024243E

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 197a87bd8b3e997d360e6f20540d88087081c51f41e0c856f668edeb761fbeec
Instruction ID: 0a6bba469b0990ad69161bbd321156cd5b3a514a7bed4fc15092fddccb119bec
Opcode Fuzzy Hash: 197a87bd8b3e997d360e6f20540d88087081c51f41e0c856f668edeb761fbeec
Instruction Fuzzy Hash: 4662E07162C3828BC31DCF29C49036ABBE1AFD5348F588A2DF8D987291D774D959CB42

Function 0024164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 0024164F
gfff, xrefs: 00241F3C
0123456789abcdefxp, xrefs: 00241659
gfff, xrefs: 00241F57
+, xrefs: 00241573

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: e26ef9d4a435e532e09d341810b69049c5b75593d1831329f84181f847821df8
Instruction ID: 017187a836c1aa50b9785fc1a1e402112bd918d6eaea7191d2b4956cc1d051f2
Opcode Fuzzy Hash: e26ef9d4a435e532e09d341810b69049c5b75593d1831329f84181f847821df8
Instruction Fuzzy Hash: 1DF1C03061C3828FC719CE29C48436AFBE2AFD9304F588A6DE4D987352D774D959CB92

Function 002413A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 002413A3
gfff, xrefs: 00241F3C
0123456789abcdefxp, xrefs: 002413AD
gfff, xrefs: 00241F57
-, xrefs: 00241F23

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: f984d811f1caf3731b0a164ed869bda303d0a3654047a8fb94f8cb4680087914
Instruction ID: 83d43ffd4805ea057976bf23ab71e09ad8042f8f4438b4f9f4d11b2aac747bcd
Opcode Fuzzy Hash: f984d811f1caf3731b0a164ed869bda303d0a3654047a8fb94f8cb4680087914
Instruction Fuzzy Hash: 52D1AE316187828FC719CF29C48026AFBE2AFD9308F48CA6DE4D987356D634D959CB52

Function 00262260 Relevance: 6.6, Strings: 5, Instructions: 383COMMON

Download Yara Rule

Strings

a|, xrefs: 00262317
b&&, xrefs: 0026265C
lc, xrefs: 00262507
hu, xrefs: 0026232F
sj, xrefs: 00262327

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: a|$b&&$hu$lc$sj
API String ID: 0-1906391715
Opcode ID: a1b7e3aac258358012007e248843ccf94c8e9e7b7988b8e28bf10abc42e1caae
Instruction ID: a889e61131312fc13d6b25bc38163e98217c394b0fa4dd30327c834e3b8cec5b
Opcode Fuzzy Hash: a1b7e3aac258358012007e248843ccf94c8e9e7b7988b8e28bf10abc42e1caae
Instruction Fuzzy Hash: DAA19CB0428341CBC320DF18C891A2BB7F4FF96354F549A0CE8D59B291E739D9A5CB96

Function 0026FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 0026FE95
:, xrefs: 00270087
m1s3, xrefs: 0026FEC3, 0026FECB
NA_I, xrefs: 0027036D

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 4d66eacd5f6bc1bb386b778fb91d432b00877296cdfaaebc91596d9fd7a1532a
Instruction ID: c0e1c9c97776b159bd2678d80927eddce7ecf934fc77a34efe92c37e7f9ce150
Opcode Fuzzy Hash: 4d66eacd5f6bc1bb386b778fb91d432b00877296cdfaaebc91596d9fd7a1532a
Instruction Fuzzy Hash: A332CDB0528381DFD301DF29D884B2ABBE5BB86350F14895CF5D98B292D335D929CF52

Function 00253BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

;z, xrefs: 00253C87
p, xrefs: 00253C80
%*+(, xrefs: 00253EC4
ss, xrefs: 00253C79

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 7012f4d12766b3bab445768601ab30421a6dbb2aeefae39700147bd9b96afd67
Instruction ID: e91c4f8e680c602b58014c4e5871904a43c5425ef33b98bfa3f1ec4567a5c17b
Opcode Fuzzy Hash: 7012f4d12766b3bab445768601ab30421a6dbb2aeefae39700147bd9b96afd67
Instruction Fuzzy Hash: 97026DB4820B009FD760EF24D986756BFF4FF05301F50495DE89A8B685E370A429CFA6

Function 0026D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 0026D9EA
CV, xrefs: 0026D98B
KV, xrefs: 0026D97D
T>, xrefs: 0026D984

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: adeb613dbc9b712e369d1f6da0af99505cdedcfcb6da6719a9130c206513cba5
Instruction ID: 752fe9688602e43b8fa04eb929fe89e9fa8c97b5b99f774696d7a0372c43a5bf
Opcode Fuzzy Hash: adeb613dbc9b712e369d1f6da0af99505cdedcfcb6da6719a9130c206513cba5
Instruction Fuzzy Hash: 3D8156B48117499BCB20DF96D28515EBFB1FF16300F60460CE486ABA55D330AA65CFE3

Function 0026AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

4c2a, xrefs: 0026ACA9
lk, xrefs: 0026ACBC
,{*y, xrefs: 0026AD07, 0026AD13
(g6e, xrefs: 0026ACA1

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 4657f918c980dfa719f95f0602d7a1f35883a501692ece0a75f4b5d13010780d
Instruction ID: 3cc57b27c9eab4af126ff30338124d23f9c7883c79b33870ee632562bdaa0957
Opcode Fuzzy Hash: 4657f918c980dfa719f95f0602d7a1f35883a501692ece0a75f4b5d13010780d
Instruction Fuzzy Hash: E94194B4418382CAD7209F20D804BABB7F4FF86345F14595EE9C8A7260EB32D954CF96

Function 0040E0E1 Relevance: 4.2, Strings: 3, Instructions: 434COMMON

Download Yara Rule

Strings

o%y\, xrefs: 0040E257
o%y\, xrefs: 0040E2CA
3?o, xrefs: 0040E29D

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: 3?o$o%y\$o%y\
API String ID: 0-438721638
Opcode ID: 2787dea714d37f96005b085f0d47cce79552181a23a424cef09a4016d89f2927
Instruction ID: 7f2e6f7a7c957549d76b06c4cfa2a1d22ff46290ea6cd5bb2ff50edd0109a95f
Opcode Fuzzy Hash: 2787dea714d37f96005b085f0d47cce79552181a23a424cef09a4016d89f2927
Instruction Fuzzy Hash: 24E1D3F250C600AFE304AF29DC8577AFBE5EF98720F16892DE6C487744E63598118B57

Function 0026C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 0026C537
%*+(, xrefs: 0026C9E4, 0026C9ED
%*+(, xrefs: 0026C8C3, 0026C8CB

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 8ee510c286c19fd1424872105d934a83d33a032f82c3a5cdb2b910bbcf545665
Instruction ID: c12d0775cb7e99ed3fe753fff06dabccc92d719984e325f7dbd4e4f04117fbc7
Opcode Fuzzy Hash: 8ee510c286c19fd1424872105d934a83d33a032f82c3a5cdb2b910bbcf545665
Instruction Fuzzy Hash: 3BE1CAB5929341DFE320AF65E884B2ABBF9FB85340F54882DE1C887251D731D860CF92

Function 00248590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 002489F0
), xrefs: 0024860C
), xrefs: 00248616

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 2a8abea39be8037785843a3942f83fb9db63d50fec3eb6cc8f4d00abc861db7c
Instruction ID: 90ccffaebe2629005e4dd1f57eb832111ea3a4334f057b299ffe131cf563bfc1
Opcode Fuzzy Hash: 2a8abea39be8037785843a3942f83fb9db63d50fec3eb6cc8f4d00abc861db7c
Instruction Fuzzy Hash: 44E1E2B1A287029FE314CF28C84572EBBE4BB94314F14492DF99597391DBB5E924CBC2

Function 0041CE6D Relevance: 3.4, Strings: 2, Instructions: 854COMMON

Download Yara Rule

Strings

a)|, xrefs: 0041D711
?^, xrefs: 0041D1B8

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: a)|$?^
API String ID: 0-3142012609
Opcode ID: b72c463901f4f628561236e33790bcb6a60d3bd2d901f694f44b098174635bf6
Instruction ID: 05a6d7b50048671913d4872f2520f8e38e9785d32caccd2fee7ee5c054b17140
Opcode Fuzzy Hash: b72c463901f4f628561236e33790bcb6a60d3bd2d901f694f44b098174635bf6
Instruction Fuzzy Hash: D0424BF3A086009FE300AE2DDC8567BB7EAEFD4720F1A853DE6C4D7744E93598058696

Function 00284040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

f, xrefs: 0028420C
%*+(, xrefs: 002840A4, 002840AD

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: df5774067835f6c64510a4d0c6a9ded1f1a75a7b50ede2eaefc28626b43c3183
Instruction ID: ce9fd406b4e5b319adaa0b12af4991d32258ceb5983dea373dea91ae5d1efbd6
Opcode Fuzzy Hash: df5774067835f6c64510a4d0c6a9ded1f1a75a7b50ede2eaefc28626b43c3183
Instruction Fuzzy Hash: 5B12DF7961A3428FC714EF18C880B2EBBE6FBC9314F588A2DF49497291D735D914CB92

Function 0027F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 0027F6E6
dg, xrefs: 0027F7F5

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: d1906a718f3bbd6db3a0307d13fe25248b22059dba204bd08bbe6f9339575299
Instruction ID: 2b3bf7fb928b0e14bbbc389514c8f2b9e389496f5163a8e72fb8f2ece17e3e4e
Opcode Fuzzy Hash: d1906a718f3bbd6db3a0307d13fe25248b22059dba204bd08bbe6f9339575299
Instruction Fuzzy Hash: 3CF1947162C341EFE304CF24D895B6ABBE5FB85344F24892DF1998B2A1C734D854CB52

Function 002435B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 0024360E
Inf, xrefs: 00243607

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 3224fc01754d5a0796ddf5a7dd8210643fd501549f7088f0cb925e941240d41a
Instruction ID: 94ba4c9182d6ee092238878193fcbd90bf742801a3d8fe1d9282c28a17f5813c
Opcode Fuzzy Hash: 3224fc01754d5a0796ddf5a7dd8210643fd501549f7088f0cb925e941240d41a
Instruction Fuzzy Hash: 51D1E671A283129BC708CF28C88061EF7E5FBC8750F258A2DF99997391E775DD158B82

Function 0038ADB7 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

(K^, xrefs: 0038B038
Soc, xrefs: 0038ADD7

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: (K^$Soc
API String ID: 0-1812260406
Opcode ID: 0a6497748bfbb4e3778adcec77ecf61103be734a3796a5892c609422eecf2371
Instruction ID: ce36e17099261c64df457a576f432b021fecb1dbf804288a31c31dc68da87ff9
Opcode Fuzzy Hash: 0a6497748bfbb4e3778adcec77ecf61103be734a3796a5892c609422eecf2371
Instruction Fuzzy Hash: 2C71F7F3A1C3089FE745AE29EC9573AB7D6EB54320F16493DEAC4C7340EA3598448786

Function 002D7BA5 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

&mu., xrefs: 002D7D95
n==, xrefs: 002D7D69

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: &mu.$n==
API String ID: 0-1860171379
Opcode ID: 6b6b3b84b5f98bdf2781a195bf9f73330a34431b597b9d67dee7fa831115ab6c
Instruction ID: c72ce67ae581646267ea439c32f77b4c3660c1c756ee8630ebd8ff8aac762d11
Opcode Fuzzy Hash: 6b6b3b84b5f98bdf2781a195bf9f73330a34431b597b9d67dee7fa831115ab6c
Instruction Fuzzy Hash: 2A615CB3A0A2145FE3046E2DDD5577AFBE9EFD4720F1A453EE6C583784E93158008683

Function 0025FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00260197
Ye[g, xrefs: 002600F6

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: a77b8814013e3a6c30c275916ef14160662e23aadd6de6093784286979a90212
Instruction ID: b3aa7e1e36e5097c1901419007ebc70dc885b80f3d43f0def15ac71737a9a04e
Opcode Fuzzy Hash: a77b8814013e3a6c30c275916ef14160662e23aadd6de6093784286979a90212
Instruction Fuzzy Hash: DE51CDB16283828BD331CF14C481BABB7E4FF96310F18491DE49A8B691E3749990DB57

Function 00245160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 002454C8

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: de03a093ed0b81c592bcce4a761c2cbe0cc792d89c89b2291755a4606f4f8fdf
Instruction ID: abfe45385b6a6b2ef0ba1ed81f23c9f7f3599efa2850ed674256de60db86c7dc
Opcode Fuzzy Hash: de03a093ed0b81c592bcce4a761c2cbe0cc792d89c89b2291755a4606f4f8fdf
Instruction Fuzzy Hash: 1C22C5B6928B628BE7198F18D440326FBA2AFE1304F1D856DD8D94B343E7B1DC65C741

Function 002712D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 002715D1

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: da5db4b9b9548b567539b641789873d11da1a64be3c1e47fc14749c20674d564
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: E2F12771A183524FD728CE2CC49162BBBE5AFC5350F18C96DE89D87382D634DD25CB92

Function 0026AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0026B2D3, 0026B2DB

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 4586a43af7d1611ac11e60458cdf18d8f9b84852cf6385849614bc9c547f28f6
Instruction ID: 70ec0b34e182e5824eedf4fe1d7ab4f8de28a0d6d6cff3b900d98d0a27771759
Opcode Fuzzy Hash: 4586a43af7d1611ac11e60458cdf18d8f9b84852cf6385849614bc9c547f28f6
Instruction Fuzzy Hash: B1E1CB71628306CBC315DF29D89056EB7F2FF98781F54891CE8C587260E331E9A9CB82

Function 00256EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00256EF3

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: c637f5fa0df82fd6b8a26bc8cd3ca810ca8b42e4b4e5547358f06e31c3c23d04
Instruction ID: 2e0e97429cdcbe247e35fb42646e4b10bf76cccb3af4d4e57c5ff71d16536502
Opcode Fuzzy Hash: c637f5fa0df82fd6b8a26bc8cd3ca810ca8b42e4b4e5547358f06e31c3c23d04
Instruction Fuzzy Hash: B5F1D275A21701CFC724DF28E885A26B3F6FF48315B54892DD89787A91EB30F929CB44

Function 00267E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00268263, 0026826B

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: caaed880a94585fa4e180c07f53c5f614ac7443dc614b93005e7dd29650a9b37
Instruction ID: 501d77693e1ca168c7b8e44650d8f38fb03f112cfd3baa09d3d91f9cf753b27c
Opcode Fuzzy Hash: caaed880a94585fa4e180c07f53c5f614ac7443dc614b93005e7dd29650a9b37
Instruction Fuzzy Hash: 48C1E1B1528201ABD710EF14D881A2BB7F5EF92714F08495CF8C997291E735ECA4CBA3

Function 00268D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00269233, 0026923B

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: bafbfb4b0cbe870aa0ccade011232bc78bad2b7077d640fa904500c8c7402c61
Instruction ID: c33998172480afb72e01d6ecedb11d51b224a6998ed1f8ba9e67fed08a6c8730
Opcode Fuzzy Hash: bafbfb4b0cbe870aa0ccade011232bc78bad2b7077d640fa904500c8c7402c61
Instruction Fuzzy Hash: DFD1D271628302DFD704DF64EC94A2AB7E5FF89304F49486DE88687391DB35E990CB61

Function 00254487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

BI%, xrefs: 0025485E

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: BI%
API String ID: 0-3873480887
Opcode ID: 537d960a91fe78496f529443a377d95ade8f43af0b977763a098275220baaac5
Instruction ID: f348ffd906a713b7bcdc0789b9b36bd53fdc1f0e52eee3da39a06f9863c67e40
Opcode Fuzzy Hash: 537d960a91fe78496f529443a377d95ade8f43af0b977763a098275220baaac5
Instruction Fuzzy Hash: 9BE111B5511B008FD365DF28E996B97B7E1FF0A709F04881DE8AAC7652E731B824CB14

Function 00287FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00288167

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: ffb82c5ec9d4c83a0894256e78079232b6c1623a5fe0148fb97cc38862f94538
Instruction ID: 14445c15bbe6d89dd4e67f324c7dff9387fef33e60f8ed528ca29db7a7c57118
Opcode Fuzzy Hash: ffb82c5ec9d4c83a0894256e78079232b6c1623a5fe0148fb97cc38862f94538
Instruction Fuzzy Hash: 41D114369182614FC725DE18D89072EB7E1EB80718F55862CE8B5AB3C4CB71DC16C7C1

Function 00286CBF Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"p(, xrefs: 00287015

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: "p(
API String ID: 0-3724712592
Opcode ID: f0d8f99e87d06f921794f813a484d390771ddc2809d65ec21f20b0dac8432ec4
Instruction ID: 6f2836ddd05ea4fedf997bb38f6ccf3c34e825690d7cf9f1cd894c0aa13023bf
Opcode Fuzzy Hash: f0d8f99e87d06f921794f813a484d390771ddc2809d65ec21f20b0dac8432ec4
Instruction Fuzzy Hash: 72D10E3661C751CFC714CF78E8C452ABBE2AB99314F098A6EE891D73A1D330DA44CB91

Function 0026CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0026CDC3, 0026CDCB

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 71d04d158d13cb2c2cebfda8e843a8d4451017fede94b5aef691bf9a55d23b97
Instruction ID: e3cc7b969152f15898bd88e42bc4e2cc0dcb33e352015801d0b5ec89f7e4c62e
Opcode Fuzzy Hash: 71d04d158d13cb2c2cebfda8e843a8d4451017fede94b5aef691bf9a55d23b97
Instruction Fuzzy Hash: 0AB10270A293468BD714EF58D880B3BBBF6EF95340F24482DE5C58B251E335D8A5CB92

Function 0024A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0024A9C3

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 84e7ad84ea958b4e47cfa8973751b8126a2f2d56b5aa1bfc3e2c5d2e6e81eb59
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 90B118711083819FD325CF18C88061BBBE1AFA9704F488E2DF5D997782D671EA18CB57

Function 0027FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0027FCA4, 0027FCAD

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 29344a20aca69f047023e4e60aef1606a1465d6d69c6d0cf1deaa840e1f33c6b
Instruction ID: d1f4df6e656a07cb94942f534e68f56031671886e51dfbed2e6b5044a9bc6545
Opcode Fuzzy Hash: 29344a20aca69f047023e4e60aef1606a1465d6d69c6d0cf1deaa840e1f33c6b
Instruction Fuzzy Hash: EE81EE7522D301EBD311EF68E984B2AB7E5FB99701F14882DF18897291D730D924CB62

Function 0025D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0025D663, 0025D66B

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 07da2b1d57647947ab3c615aee7883fb7afd6dd761bc247b88d779010d8e6781
Instruction ID: 2bc58e1836b2cbc8719dfee232fb4a4ad218b741d6d28e669d685eb8c4dd6ae9
Opcode Fuzzy Hash: 07da2b1d57647947ab3c615aee7883fb7afd6dd761bc247b88d779010d8e6781
Instruction Fuzzy Hash: FD610571915215DFD720EF18EC81A3AB3B4FF94355F48082DF98987261E331E925CB96

Function 00284A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00284C33, 00284C3B

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3be54a1b301e25e67fd90d835ae77553675a608a87b8c7bf22edc52afd4bf30f
Instruction ID: e56bcb2062642855abbd442c1cc67e7121721097f5e16d5e19d2a11a777e3ee5
Opcode Fuzzy Hash: 3be54a1b301e25e67fd90d835ae77553675a608a87b8c7bf22edc52afd4bf30f
Instruction Fuzzy Hash: 2361F179A2A3039BD711FF55D880B2AF7EAEB84318F18891DE584872D1D771EC20CB52

Function 0024E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0024E333

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 0e07db1a55859854da32eb1fe588fda93acecb7b5eb5ffcdb4fd4bafdc51e329
Instruction ID: 80c80ad77ccce1f8c4d1a397fc995e151a08e26a7f696e1b02c9a3ff106daac3
Opcode Fuzzy Hash: 0e07db1a55859854da32eb1fe588fda93acecb7b5eb5ffcdb4fd4bafdc51e329
Instruction Fuzzy Hash: 82516833A796904BE72D893C5C153696EC72B92334B3EC3A9E9F58B3E5D5958C104350

Function 00283920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 002839E3, 002839EB

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 75bddc0d89997d76790b533f8eb057da518073e5f395a6ff387653baa843863b
Instruction ID: ae4cff09255503e8ff676365b6e83661f8671bcf159db54f3addd9cdd56edbae
Opcode Fuzzy Hash: 75bddc0d89997d76790b533f8eb057da518073e5f395a6ff387653baa843863b
Instruction Fuzzy Hash: EC51B33862A201DBDB28EF55D884A2EF7E5FF85B44F14881CE4C697291D771DE20CB62

Function 00401254 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

w, xrefs: 00401374

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-3721766003
Opcode ID: 7c7b3a014180d68a994193fa926960c982cfd39a93d63c5fe39c38b9317f5070
Instruction ID: e9a67d47a784d14a6569f31e4d705936afdc6038d3d8b79dbf688e9a31ec4a23
Opcode Fuzzy Hash: 7c7b3a014180d68a994193fa926960c982cfd39a93d63c5fe39c38b9317f5070
Instruction Fuzzy Hash: 264103F3A086184BE310BA3DDC8977AB7D4DF95710F0A463DDBC887784E938590586C6

Function 00251BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00251C3E

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 6e8fa63b3e3c17b3fe6154eef17ea9c35f5cd53294a4041bc5feb01d7ea06bee
Instruction ID: ccaccc9c79719b3373805b2c86d49f62b7c02c2861d191a56a07f759b2279480
Opcode Fuzzy Hash: 6e8fa63b3e3c17b3fe6154eef17ea9c35f5cd53294a4041bc5feb01d7ea06bee
Instruction Fuzzy Hash: 464162B40183819BC714AF24D894A2FBBF0BF86316F04890DF9C59B290D736C929CB5B

Function 0027FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00280033, 0028003B

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 751117f1a4c66a37e7777044214448204863452df780f5adeb7d9c8e34d068b1
Instruction ID: 51cced9edf8c336ea09b94c34e9be33aceb9a9eed673881772abe4c999555815
Opcode Fuzzy Hash: 751117f1a4c66a37e7777044214448204863452df780f5adeb7d9c8e34d068b1
Instruction Fuzzy Hash: 42311A7992A311ABE650FE54DCC1F2BB7E8EB45744F144829F48597292E231DC38CB63

Function 0026E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0026E6A2

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 5f70c80aa81d8e16cdeefa2f78b03ce7bb6921cde67fe1f3bd3f22466ceed9eb
Instruction ID: c93c0a110dc578ce64415e05868795ead41650243469a9c63bef4c4b98d00c19
Opcode Fuzzy Hash: 5f70c80aa81d8e16cdeefa2f78b03ce7bb6921cde67fe1f3bd3f22466ceed9eb
Instruction Fuzzy Hash: AC31E6B5911206CFDB21CF95E88056FF7B5FB1A704F24081DE446A7341D331A964CBA2

Function 00256F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0025703B

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: cf64e885ab6b8dbe3d2664d8ebfb4e04737d7d8ebc90411cd0588b2674c0cfae
Instruction ID: d1620cd76be5b87cd5e5183b563d62770bfffdae1faa1c6ade92ccdac95d83a7
Opcode Fuzzy Hash: cf64e885ab6b8dbe3d2664d8ebfb4e04737d7d8ebc90411cd0588b2674c0cfae
Instruction Fuzzy Hash: 97418C75225B11DFD7358F61E994B26B7F2FB08302F14880CE98A97AA1E331F8248B14

Function 0026E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0026E6A2

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 2543b912480dc90f63160378e6a7df2cb434704c61dcc7abd52c6da440c86cf8
Instruction ID: 452dfce7f0b0f45e528831e3112efca9dc15919674dd8891370082e4aa27f122
Opcode Fuzzy Hash: 2543b912480dc90f63160378e6a7df2cb434704c61dcc7abd52c6da440c86cf8
Instruction Fuzzy Hash: 4F21E2B5911206CFDB21CF95E98456FFBB5BF1A700F25081DE446AB341D331AD60CBA2

Function 00289CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00289D30

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 8bb7bfa3c493801fd54515b726d99c847aa96ee3f37fb8a70ccc81b197a1765a
Instruction ID: 836d50ff5159f441b9c4d20ddbb88bdfa347672717829a547a4445e37f7d8ef2
Opcode Fuzzy Hash: 8bb7bfa3c493801fd54515b726d99c847aa96ee3f37fb8a70ccc81b197a1765a
Instruction Fuzzy Hash: 4431987451A3019BD310EF14D880A2AFBF9EF9A314F18892CE1C597291D335D954CBAA

Function 00254E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8fa481da0c05713b4d12bb7db5aad8500b76d75ea041849f6707554c36415b
Instruction ID: fe340f95f91a23fe3a42e2834c81e04dbaa727852a8355cfc56d12a047aedebe
Opcode Fuzzy Hash: 2a8fa481da0c05713b4d12bb7db5aad8500b76d75ea041849f6707554c36415b
Instruction Fuzzy Hash: 6E628BB0520B008FD725CF24D990B27B7F5AF59701F54896CD89B8BA92E734F868CB94

Function 0024BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: f6427123a56c13f0390be9fd475664febfeb1a9b6eaccd73810bf2f78ab44fa3
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: B5520931A297128BC7699F1CD4402BAF3E1FFC4319F358A2DD9C697280D774A861CB86

Function 00288652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31e72f986159e8952ae57aa0510404f43f8fc8ac0994e10dc08b28f6cdfafea
Instruction ID: f30f17ea4be5ce55b0691b2e6737abd87e6245e3fd6308160de1613703774e93
Opcode Fuzzy Hash: b31e72f986159e8952ae57aa0510404f43f8fc8ac0994e10dc08b28f6cdfafea
Instruction Fuzzy Hash: D022E039619341CFC704EF68E890A2AB7F1FF89315F09886EE58987391D735D861CB42

Function 002886F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30fd60f98ef48b4da918fbeb7d6f978ff35a103d5b9ab574088bd50e204e116
Instruction ID: 395dd9d0a053b1105b278ad64b31b1bae1de11c7ed24109b3d39d506f4e7d9b9
Opcode Fuzzy Hash: d30fd60f98ef48b4da918fbeb7d6f978ff35a103d5b9ab574088bd50e204e116
Instruction Fuzzy Hash: 0B22CD39619340DFC704EF68E894A2AB7F1FF89305F19896EE489873A1C735D861CB42

Function 0024B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2247f8748038c52eae747b46319418256ce0bbdac68849bea44e64091997cddf
Instruction ID: 17f28961b431abd85275096d25e2e49703da3835e9e7917c5f53eb8fbc67949e
Opcode Fuzzy Hash: 2247f8748038c52eae747b46319418256ce0bbdac68849bea44e64091997cddf
Instruction Fuzzy Hash: FA52B270A18B858FE73ACF34C4847A7BBE2AB95314F144C2EC5D606B82C779E895CB51

Function 002471F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03357bd638323729c92b3fbcd9352e4fe12ba3435e645a365c1a4486520bb5be
Instruction ID: 61b8e094dd344d03d5af0035e5331619d7095f459c0a24eecf62b82aa16e60c1
Opcode Fuzzy Hash: 03357bd638323729c92b3fbcd9352e4fe12ba3435e645a365c1a4486520bb5be
Instruction Fuzzy Hash: A352C13151C3468FCB19CF28C0806AABBE1FF88318F598A6DF8A95B351D774D959CB81

Function 00248FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580404ba1eec9d111f97f9074051206253c8fe5565396bc4de793e941236b04c
Instruction ID: ca0b43ba52532daac9fca8f907d42f3d19c784f10062ab783fe638a2aa3bcecf
Opcode Fuzzy Hash: 580404ba1eec9d111f97f9074051206253c8fe5565396bc4de793e941236b04c
Instruction Fuzzy Hash: 5F428979619301DFDB08CF28E85476ABBE1BF88315F0A886CE4898B391D375D995CF42

Function 00247BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f703e7302fa76bffe4e14ed48f32244ef367160f756676189bce58fb0045c1cd
Instruction ID: b2886488f7bce19bae95e7cf6f33f223feff42de1247d320612105390d519533
Opcode Fuzzy Hash: f703e7302fa76bffe4e14ed48f32244ef367160f756676189bce58fb0045c1cd
Instruction Fuzzy Hash: 2C320270A24B118FC368CF29C59062ABBF1BF45710B604A2ED6A78BF90D776F855CB10

Function 002889A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71450f44d9ba346ff0deb44375faadca62000974c755c6d559f6ab46377d706
Instruction ID: ad4b4c61058e98f1dea171f11193d6aea77d9eed87d943f8a6823df161117ac3
Opcode Fuzzy Hash: e71450f44d9ba346ff0deb44375faadca62000974c755c6d559f6ab46377d706
Instruction Fuzzy Hash: A902BD34619341DFC704EF68E884A2ABBE5FF89305F19896EE4C987361C735D861CB52

Function 00288A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649690b0c82675905ecc2f53ca141fc073fb4fc64c4cb0bbbea0d0b05f072a2b
Instruction ID: 527f7c45609df34aaff8b10705e22920571c9b8dc36657687d9b4ffa586f43e0
Opcode Fuzzy Hash: 649690b0c82675905ecc2f53ca141fc073fb4fc64c4cb0bbbea0d0b05f072a2b
Instruction Fuzzy Hash: C4F1BC3461D341DFC704EF28E884A2AFBE5BF89305F18896EE4C987291D736D861CB52

Function 00288C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c18f235328356d0583164e0ca225357e5187d5e79611ec5f4f0d484103b668d
Instruction ID: d449ccbda2b8c9f20e8cb1b475f216cb572df2d17815d6f6eae2bbe0ede38b43
Opcode Fuzzy Hash: 8c18f235328356d0583164e0ca225357e5187d5e79611ec5f4f0d484103b668d
Instruction Fuzzy Hash: 64E1DF35A19341CFC304EF28E884A2AF7E5FB89315F19896DE8C987391D735D851CB82

Function 0024A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: fb568936767479930d332724fecbd05eb83be455f8ccddb4a0df9bf05fd0ef7a
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: F2F1BB766483418FC728CF29C88176BFBE6AFD8300F08882DE4C587751E639E955CB52

Function 00288E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519140c5bbe640d739c6a2f73d9670c6118236b0f35073bf6edf326dc101262
Instruction ID: 095a9db86a6626a9d01fa8c40a05331f5b510a15919bb6e42e900260694875a6
Opcode Fuzzy Hash: 2519140c5bbe640d739c6a2f73d9670c6118236b0f35073bf6edf326dc101262
Instruction Fuzzy Hash: CFD1CD3461D241DFD304EF28E884A2EFBE5FB8A305F58896EE4C587291C736D861CB52

Function 00287AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf8c5f9c8eb9e4da356dbd8d55e986c225cc6e337383f1164352d6d6b8367ef
Instruction ID: 9e399ff296a95685215ab2b2a7b2e1a520e3c45dfb57dc8d7b3a71a2fb810bb2
Opcode Fuzzy Hash: 8cf8c5f9c8eb9e4da356dbd8d55e986c225cc6e337383f1164352d6d6b8367ef
Instruction Fuzzy Hash: 76B11576A2D3504BE314EE28CC4176BB7E9EBC4314F28492DE999973C2E735DC148B92

Function 003FF9CC Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1e51f0d59d21bc77ba757d64e2a04cd19807742ba23e46a52a87bd13af08c7
Instruction ID: b28586503bf419c1f84b6fc4eba31d1325a9b0b4cf378ad2d28173da713262ab
Opcode Fuzzy Hash: ce1e51f0d59d21bc77ba757d64e2a04cd19807742ba23e46a52a87bd13af08c7
Instruction Fuzzy Hash: 01A1BDB3F112254BF3544938DC983A266929BA5324F2F427C8E9CAB7C5DDBE5C0A5384

Function 0024AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 0bca0113d7ef94c98461d45e545b6c1ccdaf170f67a8317705d0f87f60a88ab3
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 86C19CB2A187418FC365CF28CC96BABB7E1FF85318F08492CD1D9C6242E778A155CB06

Function 00256536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b9ba186327f538b93f576fe38beff7eee9758d24e448a25eeca6f06dd6daf3
Instruction ID: f92fb49ea086db9992eac72dd1e91520d126bd9737b1f4fa53e26f3a8fbbcacc
Opcode Fuzzy Hash: e2b9ba186327f538b93f576fe38beff7eee9758d24e448a25eeca6f06dd6daf3
Instruction Fuzzy Hash: A5B111B4510B008FD3258F24C984B27BBF5EF46705F54885CE8AA8BA52E735F819CB58

Function 00287710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a340a74484dc77db97e5596f806ed0377e703eace65bc96de946fa241d8a2169
Instruction ID: 8c798b61277fd6b76107b1bb7e537dab116d1eca6de1da7ae6da8509113a90a0
Opcode Fuzzy Hash: a340a74484dc77db97e5596f806ed0377e703eace65bc96de946fa241d8a2169
Instruction Fuzzy Hash: 5491B07962E301ABE720EF14D840B6FB7E5EB85350F64481CF89497391E730E960CB92

Function 0028A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fe6109a5db5d3165587f500a5101cf3d22b6b9f415af6ea507b411ec27e26e
Instruction ID: 1a525cecd8c088e673c47316fbf010a840e8cbdd6c92c641c6b3861515bf2f19
Opcode Fuzzy Hash: 18fe6109a5db5d3165587f500a5101cf3d22b6b9f415af6ea507b411ec27e26e
Instruction Fuzzy Hash: 0D81A43821A7028BE724EF58D880A2EB7F5FF45750F45895DE985C7291EB35EC20CB52

Function 002764F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ff68362283b61ceae4dbdab95dd66b61dbf500e2ed6c01b715ff4064322fd8
Instruction ID: a12b9e2e94d4ccf4bf42c44825f48a7f2dde47152d1354ea6c11c0857981b0f2
Opcode Fuzzy Hash: 41ff68362283b61ceae4dbdab95dd66b61dbf500e2ed6c01b715ff4064322fd8
Instruction Fuzzy Hash: 75710637B79E904BC3149D3C9C8A395AA434BD6334B3DC379A8B88B3E5D6794C165350

Function 002628E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef865825e64b04da81eac47430a13482d22c40f37ab31e38a82726d6cfa94db5
Instruction ID: 205323d6e8609f03307ffb8bca88010ab6eb24e21f1c069d5776bab2b196f3c9
Opcode Fuzzy Hash: ef865825e64b04da81eac47430a13482d22c40f37ab31e38a82726d6cfa94db5
Instruction Fuzzy Hash: BB6188B4428351CBD311AF18E891A2ABBF4EF92750F14491DE4C59B261E339C964CB66

Function 00267C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a6a9715d49cf4857ea7843915bc84f4287cef7f58870f35e4293dabd84901c
Instruction ID: 4507389b83239fa26e111f77705c2698724304fbd01fb810b31058a28bce799e
Opcode Fuzzy Hash: 87a6a9715d49cf4857ea7843915bc84f4287cef7f58870f35e4293dabd84901c
Instruction Fuzzy Hash: 1151DFB1628205ABDB209F24EC82B7733B4EF85768F144958F9858B390F375DC95C762

Function 00271860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: b7708011600e15cbfda7255f8b0b472e5137248f882a816809ab1c5efecca82f
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 0161CE316293029BE714CE2DC58032EBBE6AFC5350F64C92EE49D8B355D2B0DDA6D742

Function 002782D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34522cb33fd81f7d014f907b2a379fcbcc00d61180d903c31cb5e95a9153d9bd
Instruction ID: 306975ed586bef314db670467e1bcf4f33898bfe0817c58eb5f9e1a461db6d9c
Opcode Fuzzy Hash: 34522cb33fd81f7d014f907b2a379fcbcc00d61180d903c31cb5e95a9153d9bd
Instruction Fuzzy Hash: 34614737ABA9914BC314453D6C5D3A6AA831BD2330F3EC3A699B98B3E5CDF94C114352

Function 002542FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cc88c795c5d61c8b930868832c4e7e5ad4854c9a62c994637f41bb00b05252
Instruction ID: 710aa1327cad550a7190b7fa703e9e1cbb0f70f21a8aaf807ea0f9e769e86e2b
Opcode Fuzzy Hash: a3cc88c795c5d61c8b930868832c4e7e5ad4854c9a62c994637f41bb00b05252
Instruction Fuzzy Hash: 7681E4B4810B00AFD360EF39D947757BEF4AB06201F404A1DE8EA96694E7306469CFE3

Function 003C61EE Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648836325f4959cb435abf1ac01bf808717046fde7a1f5ad19d0f025c27c754c
Instruction ID: d920405091769a81474753420a21b7e9ec11ae48a2d4acca6b420880138f21e6
Opcode Fuzzy Hash: 648836325f4959cb435abf1ac01bf808717046fde7a1f5ad19d0f025c27c754c
Instruction Fuzzy Hash: CA5170F3A0C2045BF318A92DEC5573BB7D6EB94320F1A463CEAC9C3784E97D58058296

Function 00365772 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1cf11d0052deeb7ad764dc86ca86733fa3f1d712229728af6150aca84ccd1c
Instruction ID: 51c90cccb3f599fdf11e52b4627d467ac5b2e9dff5edaf0b11201615d541849b
Opcode Fuzzy Hash: de1cf11d0052deeb7ad764dc86ca86733fa3f1d712229728af6150aca84ccd1c
Instruction Fuzzy Hash: 345135F3D186249FE714AE28DC8576AB7D5EB58320F1A063DDEC8D3380E53A5C0586C2

Function 0027E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 7a14a9c5ed6a65cbfdada35e234e3b6b4597252120334ee399f5ad1ba43e0d79
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 34517BB16083548FE714DF69D49435BBBE1BB89318F054E2DE4E983391E379DA088F92

Function 004E96C1 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49522486223f5c48a6e9ac9c75f5d3b45322acfb5691dc029afc8507db50d1b4
Instruction ID: f390eae9087be7d77f2ac88a37890c9b417c81663a08baf293dc4b8ca46598d7
Opcode Fuzzy Hash: 49522486223f5c48a6e9ac9c75f5d3b45322acfb5691dc029afc8507db50d1b4
Instruction Fuzzy Hash: 965159F251C348EFD3047E2AEC4197EBBE5EB41311F22463FD6C242390EA3A58569687

Function 00287520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da16343d867cabc552119d5130ce46ad645afb3493a0fceb84d6cf965596dc9
Instruction ID: bc957d19fa85083d8335c7f9de863d6b87f6c84e82a519c6636811da27ea47a5
Opcode Fuzzy Hash: 4da16343d867cabc552119d5130ce46ad645afb3493a0fceb84d6cf965596dc9
Instruction Fuzzy Hash: 1C51073962D2119BC715AE18DC90B2EF7E6EB85314F788A2CE8E5573D1D631EC20CB91

Function 00245A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254864a97cbd4e881cdf33aaf5a2782432af764d8888dcd5d27f00a7d3825415
Instruction ID: 4cc4a000faed3dc661ad17cbcc07b36bd623668f40bc44ca0d57a2c049ed852d
Opcode Fuzzy Hash: 254864a97cbd4e881cdf33aaf5a2782432af764d8888dcd5d27f00a7d3825415
Instruction Fuzzy Hash: 8251D1B5A147259FC718DF18C880926B7A1FF85328F15466CF8D98B352D631EC62CB92

Function 002DBF09 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816244f9dfcf01c79cdfe81bd2a4d03fabbb4007ec71015c07fe5804a848ab03
Instruction ID: bd264d96b01995eea0f693c006b124fffe6c99b7dc8f35ca5ed663047ac59be4
Opcode Fuzzy Hash: 816244f9dfcf01c79cdfe81bd2a4d03fabbb4007ec71015c07fe5804a848ab03
Instruction Fuzzy Hash: AC4128F3A483145BE3106E58FC85BABB7D9DF54730F1A4239DAC493780EA79590082D7

Function 0026EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f20fe8019fccaf455a575978fb405c9d485a0eb4300c43aadf216473be34318
Instruction ID: c82a1f8260cbbc2648637c6e0a6d5e7a1677a6393ea3e08971a8a8e56fe25cb9
Opcode Fuzzy Hash: 8f20fe8019fccaf455a575978fb405c9d485a0eb4300c43aadf216473be34318
Instruction Fuzzy Hash: C841AF78910326DBDF208F54DC91BADB7B0FF0A340F144549E945AB3A0EB38A9A1CB91

Function 00289B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73b8972cc597ad95e9c25ff6c0fa31bd7a0e529ef204b8a2d4ca06ce2e85ac1
Instruction ID: 902bbf94d70b1c620d1a48644bb926d1cd1cd8b5f1bf159c9c2b1b5ce082256c
Opcode Fuzzy Hash: e73b8972cc597ad95e9c25ff6c0fa31bd7a0e529ef204b8a2d4ca06ce2e85ac1
Instruction Fuzzy Hash: 0E41A43821A301ABD710EF54D990B3EF7E5EB89714F18882DF58657291D336E860CB56

Function 00252030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6be84cebd60c4481d2d874b0a69f57b68a7eea93afe1b0c73955aca77ed6da
Instruction ID: e97cd9baf89add265e36e3c59ff555641e7ef2432b4ed4cb68b89780201d4ec3
Opcode Fuzzy Hash: fe6be84cebd60c4481d2d874b0a69f57b68a7eea93afe1b0c73955aca77ed6da
Instruction Fuzzy Hash: 1B410832A1C3654FD35CCE29849063ABBE2AFC5300F19C62EE8D6873D1DBB48959D785

Function 00251E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37e24197a7608e4da7eed52bdab63bf5c458d83501e625393f5bd0d30bc9f73
Instruction ID: fd3e7e5e222a44fcbe6d385d98e84decbaa07790ce25ff33045c952894b1a00c
Opcode Fuzzy Hash: e37e24197a7608e4da7eed52bdab63bf5c458d83501e625393f5bd0d30bc9f73
Instruction Fuzzy Hash: D84102745183809BC321AF54D888B1EFBF5FB86346F14491DFAC497292C376D8288F6A

Function 00288D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f479f1542f517cf2f1e44d2dcac15776d5c6abfb8bb9a882f49bc8cf5f6886d7
Instruction ID: e44150db3d0de01e7a2bdfc4b3fdb91095f6c559fff973a0bb6467e28e295cd2
Opcode Fuzzy Hash: f479f1542f517cf2f1e44d2dcac15776d5c6abfb8bb9a882f49bc8cf5f6886d7
Instruction Fuzzy Hash: DE41D23561D2518FC304EF68C49052EFBE6EF99300F498A1ED4D5D7292DB74ED118B82

Function 003A3FF9 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79ef8acfa3e727922c49bdc082ae5ef83d60569efbb42fe8d408eeed1e81b9
Instruction ID: 46fdee85c3a2333b5055000bade7408e14bd12cfd114f482b7ce23ed240feaa3
Opcode Fuzzy Hash: db79ef8acfa3e727922c49bdc082ae5ef83d60569efbb42fe8d408eeed1e81b9
Instruction Fuzzy Hash: 2C41C7F3E082108FF354AE28DC457AAB7E5EF94310F0B493DDBC8D3680D57958018696

Function 0025D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb3a74663f91662184ea0dd632df914f5fc898b1b4290405756ae03bcddb7f3
Instruction ID: 91cf73c3cb5849f061e0769d2336639ae0ae9b900108c3c99939321e82accf5b
Opcode Fuzzy Hash: 7bb3a74663f91662184ea0dd632df914f5fc898b1b4290405756ae03bcddb7f3
Instruction Fuzzy Hash: 4D41CCB56193828FE3349F14C885BAFB7B0FF96361F040959E88A8B791E7744850CB97

Function 0027F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 666bc8f765c4122cac4715fa3430645c5c986df79a90ebe9533c0a02af39f2e1
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: C521F53291C2258BC3249F59C58163AF7E8EB99704F46C62ED9C8A7295E3359C2487E2

Function 002867EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400d7180134a073e125dea4a147958cb75a5cbbd8ef099f4a0a9f026780aa5d9
Instruction ID: 8d9786e31441fa3bfec832e1445caa5919142df13f10e95cb2aab1730962b5a2
Opcode Fuzzy Hash: 400d7180134a073e125dea4a147958cb75a5cbbd8ef099f4a0a9f026780aa5d9
Instruction Fuzzy Hash: A131557442D3829AE704DF04C49462FBBF0EF96384F54580DF4C8AB2A1D338D999CB9A

Function 00265E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d018616cd6f02c1a7810b12592332ff37281e186c2c4eae162b11bc50b487f2
Instruction ID: 58a5f4a9dc2bc42547ae08252ee2806b646bc1318694e09ebc49b4d071284e02
Opcode Fuzzy Hash: 6d018616cd6f02c1a7810b12592332ff37281e186c2c4eae162b11bc50b487f2
Instruction Fuzzy Hash: 2D21B271529221DBD710AF18C85192BB7F4EF92764F54890CF4D59B292E335C9A0CBA3

Function 002449A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 58b5fa223a8d5eed87d9f703c17db6933eb73457ed14d7d7f6a0816a90d0beed
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 8631FE316682119BD718AE18D89072BB7E1FFC8359F18852CE89ACB341D331EC62DF46

Function 002864B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba866a8e7c0f1faba80d8369b0bbb62dbb18f2accc2cfac149f0dc26299f6ce5
Instruction ID: ad0ef38400d710aae76172e1c4a6b1a281b08175f5f0c055991feb0e36f2e879
Opcode Fuzzy Hash: ba866a8e7c0f1faba80d8369b0bbb62dbb18f2accc2cfac149f0dc26299f6ce5
Instruction Fuzzy Hash: 4C21697862D201DBD715EF59E488A2EF7E5EB85741F28881CE4C4933A2C335A860CB62

Function 00250EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3779009fbb5303096bd6a0898f8c7e8f90d6278a2d98f3cba04b4901684bd96
Instruction ID: fd24b9637ca8f52c1e0e925a1545cfb30631027ff29a7d430908b021f36cf4b3
Opcode Fuzzy Hash: e3779009fbb5303096bd6a0898f8c7e8f90d6278a2d98f3cba04b4901684bd96
Instruction Fuzzy Hash: A72148B491021A8FDB14CFA4CC90BBEBBB1FF4A301F144808E811BB282C735A915CF68

Function 0027B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 13ad75078fb74d3fc7966958794cc3eb6ba75e8a87ca2e1f4b52e25452819d74
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7611E533A251D90EC7178D3D8440665BFA71AA3234F59C399F4BC9B2D2D7328D8A8364

Function 00270B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: d2447624f5e35256b5e8ae7d4ddd5c32cf5824f563690ad29162c58d4f9e897a
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: C10175F5A2130287E7209E5494D1B3BB2A86F4171CF18952CD40E97241DB76ED29C695

Function 0026D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebbfc0f584d1be58e88791ac9d2e35407e8704d97e1cd3bb87266d00d70ee89
Instruction ID: 2e466d7a6a2322df48151d526a02d52e3b7f0fda1ffe90af554a52e85bbf34d9
Opcode Fuzzy Hash: cebbfc0f584d1be58e88791ac9d2e35407e8704d97e1cd3bb87266d00d70ee89
Instruction Fuzzy Hash: 4E11EFB0418380AFD310AF618494A1FFBE5EB96714F248C0DF5A49B251C375D859CF56

Function 00246EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9705825b1d8e109d1a00a1b80eda3633d65f4d6a2961faa1e953192412362d9
Instruction ID: 9fa11c9a84cb3ef0e674cdf838772171c292fe4f88836c0079eb8d7cafe71236
Opcode Fuzzy Hash: e9705825b1d8e109d1a00a1b80eda3633d65f4d6a2961faa1e953192412362d9
Instruction Fuzzy Hash: 82F0593E72920A0FA215CDAAF88883BF3D6D7DA354B05153DEE81C3611CD72E80682D1

Function 0027B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0025C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0025B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 571778a3a5f56cc0c90cf0f1b56744c6e85295d216e00405ff2b3bdcdf00f629
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 7BF0A7B162451057DF338A549C90B37BB9CCB97355F190426EC4557183D2715C5DC3E9

Function 00278220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f21171648d546c438ffd9a9abfdea042495395b2529c56c4ebc6e58d75606dc
Instruction ID: 49394107139134d5b348673c4acbea34dfc6652c8c781afa45c97611bd86a332
Opcode Fuzzy Hash: 6f21171648d546c438ffd9a9abfdea042495395b2529c56c4ebc6e58d75606dc
Instruction Fuzzy Hash: 8501E4B44107009FC360EF29C445B47BBE8EB08714F104A1DE8AECB680D770A5588B82

Function 00281440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 409e244ff55ee78141bfe3b77f5db34c3080ff823d661259ae451d5aa4e4fdc7
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 22D0973560832286AF348E19A4008B7F3F4EAC3B01F48801EF582E31C8D330DC12C3A8

Function 00251ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af95b1d3dc82ddec7b99940670a5c2f1e0eae47f5987d04555e90120cb4f072f
Instruction ID: c0b03742911814e24928aebfcef48b38ceda5f64fb0d782e2fc122b13af1da14
Opcode Fuzzy Hash: af95b1d3dc82ddec7b99940670a5c2f1e0eae47f5987d04555e90120cb4f072f
Instruction Fuzzy Hash: AAC01238A2A0008B82849F00B999932B3B8A306309700B02BDA02E3221DA60D426CA09

Function 00286094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aeef08fabc61a990092a6aba5e7daf1be6cc7a7cc6b4f547327d3eed6f6db81
Instruction ID: 70a463cb923ba5908c064b5a18ee3f588f152bdb08c1d0860c1164ca7fe65560
Opcode Fuzzy Hash: 0aeef08fabc61a990092a6aba5e7daf1be6cc7a7cc6b4f547327d3eed6f6db81
Instruction Fuzzy Hash: B8C04C3866D000869108CE04E969475E2669AA7628624B01AC80A23695C124D512951C

Function 00251A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ad4e03eeeb94fe97e0ae75e7a327826681bbe39e767397a06907151368b97c
Instruction ID: f3917e73227a962dd4f6cfd36e62504c81e2de8eb1ec6afebfb8238c16fad98d
Opcode Fuzzy Hash: e3ad4e03eeeb94fe97e0ae75e7a327826681bbe39e767397a06907151368b97c
Instruction Fuzzy Hash: 99C04C39A6A0408A82848E85B995532A3A85316209714703B9B02E7261D560D4258609

Function 00285FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072149939.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.2072124446.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.00000000002A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072210110.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072488733.0000000000558000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2072607974.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6301bcafc9b1383428af69c17d1a97369e60e2061873d6c4c37c61107396239
Instruction ID: b088e64db61e386926a8cb81503c1b064fc9bb6951d5877d9084b939be0916fa
Opcode Fuzzy Hash: e6301bcafc9b1383428af69c17d1a97369e60e2061873d6c4c37c61107396239
Instruction Fuzzy Hash: 43C09B2476800047924CCF14ED69535F2B69B9752C714B01EC80963255D134D511850C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 0024FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0024D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00285700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00285BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0028695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0025049B Relevance: .3, Instructions: 264
COMMON

Function 0042F205 Relevance: 4.6, APIs: 3, Instructions: 93
registryCOMMON

Function 00283220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00283202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON