Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528628
MD5:	dbb2a8b4b3407d25e9d79d7d1acefbf9
SHA1:	7aa9ca07cffa6d3363b4747dd096848ba8607642
SHA256:	c84a4857c8a3ac287f538316ebb0dde2946436654b192d97ce00bf68d5b12b3f
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DBB2A8B4B3407D25E9D79D7D1ACEFBF9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "spirittunek.stor", "bathdoomgaz.stor", "mobbipenju.stor", "eaglepawnoy.stor", "studennotediw.stor", "licendfilteo.site", "dissapoiznw.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.561128+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.6	58093	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.507600+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.6	61802	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.540715+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.6	53271	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.529820+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.6	60079	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.582042+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.6	55578	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.519409+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.6	56176	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.572303+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.6	58040	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T05:27:09.551294+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.6	61156	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.6220.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "spirittunek.stor", "bathdoomgaz.stor", "mobbipenju.stor", "eaglepawnoy.stor", "studennotediw.stor", "licendfilteo.site", "dissapoiznw.stor"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: eaglepawnoy.store	Virustotal: Detection: 17%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 13%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 13%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 13%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://licendfilteo.site:443/api	Virustotal: Detection: 16%	Perma Link
Source: https://clearancek.site:443/apii	Virustotal: Detection: 5%	Perma Link
Source: https://spirittunek.store:443/api	Virustotal: Detection: 17%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_001650FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0012D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0012D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_001663B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0016695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_001699D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0012FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00130EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00121000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0015F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00136F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00164040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00166094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0014D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00142260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00142260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_001342FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0012A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0013B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0014E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0013D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00161440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0014C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_001664B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00149510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00136536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00167520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00128590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0015B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0014E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00167710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00165700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0014D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_001667EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_001428E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00163920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0013D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_001249A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00131A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00125A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00164A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00131ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00169B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0013DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0013DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00150B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00133BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00131BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00147C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0015FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0014EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0014AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0014AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0014CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0014CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0014CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00169CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00169CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0014FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0014DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00168D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00134E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0014AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00145E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00147E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00131E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0012BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00136EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00126EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0015FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00149F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00136F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00165FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00128FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0013FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00167FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00167FC0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:61802 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:56176 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:58040 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:61156 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:55578 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:58093 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:53271 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:60079 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: dissapoiznw.stor

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-anc equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=83d866c968fb26d98cc1ae39; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 03:27:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control=NW equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/apii
Source: file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2200222126.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2203445844.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/7&
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2203445844.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900gO
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.2203584874.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2203584874.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00130228	0_2_00130228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00121000	0_2_00121000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00132030	0_2_00132030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B	0_2_002FA07B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00164040	0_2_00164040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023704F	0_2_0023704F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002920A6	0_2_002920A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016A0D0	0_2_0016A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00125160	0_2_00125160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012E1A0	0_2_0012E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001271F0	0_2_001271F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027B245	0_2_0027B245
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002492A3	0_2_002492A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F029B	0_2_002F029B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001582D0	0_2_001582D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001512D0	0_2_001512D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001212F7	0_2_001212F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012A300	0_2_0012A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037831D	0_2_0037831D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002EE37B	0_2_002EE37B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001213A3	0_2_001213A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012B3A0	0_2_0012B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001523E0	0_2_001523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014C470	0_2_0014C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0013049B	0_2_0013049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00134487	0_2_00134487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001564F0	0_2_001564F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A64ED	0_2_001A64ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020952F	0_2_0020952F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00128590	0_2_00128590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001235B0	0_2_001235B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FD5F3	0_2_002FD5F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F35CF	0_2_002F35CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0013C5F0	0_2_0013C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F5630	0_2_002F5630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015F620	0_2_0015F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00168652	0_2_00168652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012164F	0_2_0012164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001686F0	0_2_001686F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00258730	0_2_00258730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0038170B	0_2_0038170B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00255775	0_2_00255775
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C07A9	0_2_003C07A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012A850	0_2_0012A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00151860	0_2_00151860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015E8A0	0_2_0015E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015B8C0	0_2_0015B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C1912	0_2_001C1912
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014098B	0_2_0014098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001689A0	0_2_001689A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002EC9C4	0_2_002EC9C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021CA13	0_2_0021CA13
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00164A40	0_2_00164A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00168A80	0_2_00168A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00167AB0	0_2_00167AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0013DB6F	0_2_0013DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FBBAE	0_2_002FBBAE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002EBBF8	0_2_002EBBF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F8BF8	0_2_002F8BF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00127BF0	0_2_00127BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00168C02	0_2_00168C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00166CBF	0_2_00166CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D1C94	0_2_002D1C94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014CCD0	0_2_0014CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014FD10	0_2_0014FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014DD29	0_2_0014DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00148D62	0_2_00148D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F1E0B	0_2_002F1E0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00134E2A	0_2_00134E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014AE57	0_2_0014AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00168E70	0_2_00168E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012BEB0	0_2_0012BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00136EBF	0_2_00136EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0012AF10	0_2_0012AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00128FD0	0_2_00128FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00167FC0	0_2_00167FC0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0012CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0013D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994069719471947
Source: file.exe	Static PE information: Section: vwvuroap ZLIB complexity 0.9942688043152532

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00158220 CoCreateInstance,

0_2_00158220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1878528 > 1048576

Source: file.exe

Static PE information: Raw size of vwvuroap is bigger than: 0x100000 < 0x1a1200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.120000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vwvuroap:EW;oqopovqr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vwvuroap:EW;oqopovqr:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d80a8 should be: 0x1d384c

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: vwvuroap
Source: file.exe	Static PE information: section name: oqopovqr
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018700A push 43FC4BD9h; mov dword ptr [esp], esi	0_2_0018A4CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037802A push edx; mov dword ptr [esp], esi	0_2_00378062
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037802A push ecx; mov dword ptr [esp], ebp	0_2_003780BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0037802A push 294A9EE7h; mov dword ptr [esp], ebx	0_2_003780D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00365005 push 2006AF38h; mov dword ptr [esp], eax	0_2_0036504A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ecx; mov dword ptr [esp], ebp	0_2_002FA080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push edx; mov dword ptr [esp], esp	0_2_002FA084
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push edi; mov dword ptr [esp], 7D7E5C00h	0_2_002FA08D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push edi; mov dword ptr [esp], esi	0_2_002FA131
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ecx; mov dword ptr [esp], 503B3797h	0_2_002FA165
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push eax; mov dword ptr [esp], 38B9D529h	0_2_002FA1A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push edi; mov dword ptr [esp], 2743A5DFh	0_2_002FA1B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push eax; mov dword ptr [esp], 7FBF8130h	0_2_002FA1CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 65025BDDh; mov dword ptr [esp], ecx	0_2_002FA230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 70F21C9Bh; mov dword ptr [esp], esi	0_2_002FA2D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 1BA515FBh; mov dword ptr [esp], edx	0_2_002FA2F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 1189C2A1h; mov dword ptr [esp], edi	0_2_002FA38F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ecx; mov dword ptr [esp], ebx	0_2_002FA39A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push esi; mov dword ptr [esp], ecx	0_2_002FA46A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push edi; mov dword ptr [esp], eax	0_2_002FA4AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push eax; mov dword ptr [esp], 388AADC0h	0_2_002FA4B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ebx; mov dword ptr [esp], esi	0_2_002FA4F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 7E115500h; mov dword ptr [esp], ecx	0_2_002FA56E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ebx; mov dword ptr [esp], eax	0_2_002FA661
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ecx; mov dword ptr [esp], eax	0_2_002FA6BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push edx; mov dword ptr [esp], eax	0_2_002FA716
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 71BA81BBh; mov dword ptr [esp], eax	0_2_002FA7A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push eax; mov dword ptr [esp], ecx	0_2_002FA7AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push 45AB8DC4h; mov dword ptr [esp], eax	0_2_002FA7E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ebx; mov dword ptr [esp], ecx	0_2_002FA7FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FA07B push ebx; mov dword ptr [esp], ecx	0_2_002FA803

Source: file.exe	Static PE information: section name: entropy: 7.975619384909993
Source: file.exe	Static PE information: section name: vwvuroap entropy: 7.95444617010904

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F30B8 second address: 2F30BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30302E second address: 30306A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA370h 0x00000007 jmp 00007FC8F8BFA36Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FC8F8BFA37Eh 0x00000014 jmp 00007FC8F8BFA378h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30306A second address: 30306F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30306F second address: 303075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3031C4 second address: 3031CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC8F9726776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 303465 second address: 303481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA36Dh 0x00000009 popad 0x0000000a push edi 0x0000000b js 00007FC8F8BFA366h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30371B second address: 30373D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC8F9726789h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3038B9 second address: 3038EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007FC8F8BFA373h 0x0000000d jmp 00007FC8F8BFA375h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 305DE5 second address: 305E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007FC8F9726776h 0x0000000e jmp 00007FC8F9726787h 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 movsx edi, bx 0x0000001b push 00000000h 0x0000001d clc 0x0000001e push 580236C7h 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC8F9726785h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 305F59 second address: 305F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 305F5D second address: 305FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 0D798C02h 0x0000000d jne 00007FC8F972677Bh 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FC8F9726778h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f jmp 00007FC8F972677Bh 0x00000034 push 00000000h 0x00000036 push 00000003h 0x00000038 jmp 00007FC8F9726786h 0x0000003d mov edx, dword ptr [ebp+122D39A5h] 0x00000043 push D08B4B62h 0x00000048 push edi 0x00000049 jbe 00007FC8F972677Ch 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 305FD2 second address: 306018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xor dword ptr [esp], 108B4B62h 0x0000000c mov dword ptr [ebp+122D28C3h], esi 0x00000012 lea ebx, dword ptr [ebp+12455CBDh] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FC8F8BFA368h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 add esi, dword ptr [ebp+122D3A91h] 0x00000038 push eax 0x00000039 jo 00007FC8F8BFA374h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306018 second address: 30601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306058 second address: 306062 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC8F8BFA366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306062 second address: 30607F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F9726789h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306150 second address: 30616A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC8F8BFA36Ch 0x00000008 ja 00007FC8F8BFA366h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jg 00007FC8F8BFA374h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30616A second address: 306170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 328071 second address: 328075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325F2A second address: 325F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32622F second address: 32625C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA36Dh 0x00000009 jmp 00007FC8F8BFA373h 0x0000000e popad 0x0000000f js 00007FC8F8BFA36Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32625C second address: 326268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FC8F9726776h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326268 second address: 326296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jns 00007FC8F8BFA366h 0x00000016 popad 0x00000017 jns 00007FC8F8BFA36Eh 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3263E4 second address: 326413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8F9726789h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FC8F9726776h 0x00000015 jnl 00007FC8F9726776h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3266F5 second address: 3266FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3266FD second address: 326702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326702 second address: 326724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jng 00007FC8F8BFA366h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326724 second address: 326744 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC8F9726776h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FC8F9726778h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC8F972677Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3268A3 second address: 3268BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnc 00007FC8F8BFA36Ch 0x0000000d jo 00007FC8F8BFA366h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3268BA second address: 3268BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3268BE second address: 3268D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FC8F8BFA368h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326CC4 second address: 326CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC8F9726776h 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FC8F9726776h 0x00000012 jmp 00007FC8F972677Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326CE2 second address: 326D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC8F8BFA366h 0x0000000a popad 0x0000000b jmp 00007FC8F8BFA36Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push edx 0x00000015 pop edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a jg 00007FC8F8BFA366h 0x00000020 jp 00007FC8F8BFA366h 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326D0F second address: 326D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F972677Dh 0x00000009 jo 00007FC8F9726776h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326FC4 second address: 326FCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326FCA second address: 326FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326FD0 second address: 326FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326FD4 second address: 326FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 326FDF second address: 326FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32717C second address: 32719A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC8F9726783h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32719A second address: 3271A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327AF3 second address: 327AFF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC8F972677Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327C3C second address: 327C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007FC8F8BFA366h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327C49 second address: 327C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327C4F second address: 327C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327C5A second address: 327C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3297C3 second address: 3297CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F4AEB second address: 2F4AF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32DFA4 second address: 32DFA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32CEE4 second address: 32CEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32CEE8 second address: 32CEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D6F7 second address: 32D6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D6FE second address: 32D704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32E7FC second address: 32E800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32E800 second address: 32E806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32E806 second address: 32E818 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FC8F9726776h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 332EB7 second address: 332EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 332EBD second address: 332ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F972677Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3335A3 second address: 3335BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA378h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 335688 second address: 33568D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3358F4 second address: 3358F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3358F8 second address: 335901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 335A66 second address: 335A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 335A6C second address: 335A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 335A70 second address: 335A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 335EB8 second address: 335EF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FC8F9726776h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebx 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FC8F9726778h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d jl 00007FC8F9726776h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 335FAB second address: 335FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC8F8BFA366h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33607C second address: 336086 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336192 second address: 336198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336198 second address: 33619C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336296 second address: 33629A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336A7E second address: 336AFE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC8F9726778h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007FC8F9726786h 0x00000010 xor esi, dword ptr [ebp+122D38E1h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FC8F9726778h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007FC8F9726778h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e mov esi, dword ptr [ebp+122D2962h] 0x00000054 sbb esi, 449F6531h 0x0000005a push eax 0x0000005b pushad 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 338411 second address: 33841B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC8F8BFA366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33841B second address: 338489 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC8F972677Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FC8F9726778h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D3839h] 0x0000002d push 00000000h 0x0000002f movsx edi, bx 0x00000032 xor dword ptr [ebp+122D2E84h], esi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007FC8F9726778h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov edi, esi 0x00000056 xchg eax, ebx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a push ecx 0x0000005b pop ecx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 338F20 second address: 338F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F8BFA374h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 339A66 second address: 339A74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F972677Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33B950 second address: 33B96A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA376h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33B96A second address: 33B96F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33B96F second address: 33B975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33E7E0 second address: 33E807 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FC8F972678Dh 0x00000010 jmp 00007FC8F9726787h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33E807 second address: 33E80C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33ED5F second address: 33ED81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC8F9726785h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33ED81 second address: 33ED86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33EEB0 second address: 33EEB5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33EEB5 second address: 33EEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jng 00007FC8F8BFA366h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33FEF2 second address: 33FEF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B94 second address: 340BAD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jl 00007FC8F8BFA368h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FC8F8BFA366h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340BAD second address: 340BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340BB1 second address: 340C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a jmp 00007FC8F8BFA377h 0x0000000f push 00000000h 0x00000011 js 00007FC8F8BFA37Ch 0x00000017 jmp 00007FC8F8BFA376h 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC8F8BFA36Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340E16 second address: 340E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FC8F9726776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340E20 second address: 340E41 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC8F8BFA366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC8F8BFA372h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 342C94 second address: 342C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 341C85 second address: 341C89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343C64 second address: 343C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343DE3 second address: 343DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345C86 second address: 345C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343DE7 second address: 343DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345C8A second address: 345C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343DEB second address: 343EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jns 00007FC8F8BFA36Ah 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC8F8BFA368h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 xor ebx, dword ptr [ebp+122D2B24h] 0x0000002f push dword ptr fs:[00000000h] 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007FC8F8BFA368h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 mov dword ptr fs:[00000000h], esp 0x00000057 jmp 00007FC8F8BFA377h 0x0000005c mov eax, dword ptr [ebp+122D0871h] 0x00000062 mov ebx, 4454A008h 0x00000067 push FFFFFFFFh 0x00000069 mov bh, al 0x0000006b mov ebx, dword ptr [ebp+122D1CA8h] 0x00000071 nop 0x00000072 jmp 00007FC8F8BFA375h 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c jnp 00007FC8F8BFA366h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345C90 second address: 345CA2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC8F9726778h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343EA8 second address: 343EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343EAC second address: 343EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345DD3 second address: 345DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 347DED second address: 347DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC8F9726776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 347DF7 second address: 347E65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D383Dh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FC8F8BFA368h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov bl, 19h 0x0000002f push 00000000h 0x00000031 pushad 0x00000032 call 00007FC8F8BFA373h 0x00000037 mov ecx, edi 0x00000039 pop ecx 0x0000003a mov dword ptr [ebp+122D2D55h], ecx 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 push edx 0x00000043 jmp 00007FC8F8BFA36Ah 0x00000048 pop edx 0x00000049 push eax 0x0000004a jbe 00007FC8F8BFA374h 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 pop edi 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345EA3 second address: 345ECE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC8F9726783h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edx 0x0000000e jp 00007FC8F9726776h 0x00000014 pop edx 0x00000015 je 00007FC8F972677Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 349FC2 second address: 349FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC8F8BFA366h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 349FCD second address: 349FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC501 second address: 2EC507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A54F second address: 34A567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F9726784h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A61D second address: 34A623 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A623 second address: 34A628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34B6E4 second address: 34B6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A88A second address: 34A89E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8F972677Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A89E second address: 34A8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FC8F8BFA37Dh 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34B836 second address: 34B89B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movsx edi, ax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 stc 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FC8F9726778h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 push esi 0x00000038 mov edi, eax 0x0000003a pop edi 0x0000003b mov eax, dword ptr [ebp+122D0341h] 0x00000041 mov dword ptr [ebp+1245C35Eh], ecx 0x00000047 movsx ebx, ax 0x0000004a push FFFFFFFFh 0x0000004c clc 0x0000004d mov edi, dword ptr [ebp+1247A87Ch] 0x00000053 push eax 0x00000054 jng 00007FC8F9726780h 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d pop eax 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346E80 second address: 346E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA373h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346E98 second address: 346E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346E9E second address: 346EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346EA2 second address: 346EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346EB1 second address: 346EB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346EB7 second address: 346EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FC8F9726776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346EC1 second address: 346F34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 ja 00007FC8F8BFA367h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov di, 1F00h 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 adc bl, 0000006Dh 0x00000024 mov eax, dword ptr [ebp+122D1041h] 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FC8F8BFA368h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push ecx 0x00000049 call 00007FC8F8BFA368h 0x0000004e pop ecx 0x0000004f mov dword ptr [esp+04h], ecx 0x00000053 add dword ptr [esp+04h], 0000001Ah 0x0000005b inc ecx 0x0000005c push ecx 0x0000005d ret 0x0000005e pop ecx 0x0000005f ret 0x00000060 nop 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 346F34 second address: 346F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC8F972677Fh 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007FC8F9726776h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34C852 second address: 34C858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34D8D9 second address: 34D8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34F9C6 second address: 34F9CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34F9CD second address: 34F9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC8F9726776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34F9D7 second address: 34FA5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007FC8F8BFA372h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FC8F8BFA368h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D2723h], ecx 0x00000030 push dword ptr fs:[00000000h] 0x00000037 or dword ptr [ebp+122D30ABh], ebx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 jp 00007FC8F8BFA36Ch 0x0000004a mov eax, dword ptr [ebp+122D07ADh] 0x00000050 mov dword ptr [ebp+1247AE31h], ecx 0x00000056 push FFFFFFFFh 0x00000058 mov dword ptr [ebp+122D2DFBh], eax 0x0000005e nop 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jl 00007FC8F8BFA366h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34FA5B second address: 34FA7D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC8F9726786h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34FA7D second address: 34FA9B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8F8BFA366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC8F8BFA36Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34FA9B second address: 34FAA5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352030 second address: 352034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 352034 second address: 352038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35B5BA second address: 35B5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA378h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35F7D5 second address: 35F80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 push esi 0x0000000a jmp 00007FC8F9726783h 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC8F9726780h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35F80A second address: 35F821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F8BFA373h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3651E8 second address: 3651EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 365349 second address: 36534F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36534F second address: 365353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 365353 second address: 365363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3657CE second address: 3657D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3657D3 second address: 3657FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC8F8BFA366h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jc 00007FC8F8BFA385h 0x00000013 jmp 00007FC8F8BFA36Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3657FB second address: 3657FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 365C42 second address: 365C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA375h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36B2E8 second address: 36B303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F9726785h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36B766 second address: 36B76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36B76A second address: 36B76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36B76E second address: 36B77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC8F8BFA36Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36AC75 second address: 36AC89 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FC8F972677Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36AC89 second address: 36AC8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 36BA27 second address: 36BA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33CF6F second address: 33CF73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33CF73 second address: 33CF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D123 second address: 33D133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D133 second address: 33D16C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F9726785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e jmp 00007FC8F9726782h 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D2AB second address: 33D2AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D2AF second address: 33D2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC8F972677Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D644 second address: 33D654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F8BFA36Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D654 second address: 33D678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007FC8F9726787h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D678 second address: 33D67D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D67D second address: 33D707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F9726782h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FC8F9726778h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 jmp 00007FC8F9726784h 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FC8F9726778h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 jnc 00007FC8F9726782h 0x0000004e add ecx, 33C1CF73h 0x00000054 nop 0x00000055 pushad 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D707 second address: 33D70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D70D second address: 33D715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33DF6A second address: 33DF7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC8F8BFA366h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33DF7E second address: 33DF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33DF82 second address: 33E005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA374h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FC8F8BFA36Ch 0x0000000f jo 00007FC8F8BFA366h 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FC8F8BFA368h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 or cl, FFFFFF95h 0x00000034 jmp 00007FC8F8BFA377h 0x00000039 lea eax, dword ptr [ebp+1248C924h] 0x0000003f mov dword ptr [ebp+122D2812h], edx 0x00000045 nop 0x00000046 jmp 00007FC8F8BFA36Bh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33E005 second address: 33E00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33E00C second address: 31EF46 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC8F8BFA36Ch 0x00000008 jne 00007FC8F8BFA366h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 ja 00007FC8F8BFA373h 0x00000017 call dword ptr [ebp+122D1D14h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FC8F8BFA376h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EF46 second address: 31EF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EF4B second address: 31EF83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC8F8BFA372h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FC8F8BFA36Ah 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jnc 00007FC8F8BFA372h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F66BD second address: 2F670E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FC8F9726785h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jnp 00007FC8F9726782h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FC8F972677Bh 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 jne 00007FC8F972677Ah 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F670E second address: 2F6725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8F8BFA36Ch 0x00000008 jl 00007FC8F8BFA366h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 371047 second address: 37104B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37194A second address: 371950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 371950 second address: 371954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 371954 second address: 371976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA379h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 371976 second address: 37197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37197C second address: 371982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377B79 second address: 377B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007FC8F9726788h 0x0000000b jmp 00007FC8F972677Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FEB82 second address: 2FEB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 376ADD second address: 376AE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FC8F9726776h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3770DF second address: 3770EB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC8F8BFA366h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3770EB second address: 3770F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37753A second address: 377559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC8F8BFA366h 0x0000000a jmp 00007FC8F8BFA371h 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377559 second address: 37755F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F66E6 second address: 2F670E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC8F8BFA366h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FC8F8BFA36Bh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jne 00007FC8F8BFA36Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377A07 second address: 377A11 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377A11 second address: 377A1B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC8F8BFA383h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37EE58 second address: 37EE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC8F9726781h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37EE70 second address: 37EE77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3816AE second address: 3816C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC8F972677Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381AFF second address: 381B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FC8F8BFA366h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381B11 second address: 381B19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381B19 second address: 381B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jnl 00007FC8F8BFA366h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381B2D second address: 381B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jnl 00007FC8F9726776h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38433C second address: 384344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384344 second address: 384360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC8F9726787h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384360 second address: 384371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F8BFA36Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384371 second address: 384383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F972677Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 383EF1 second address: 383EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384025 second address: 384046 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC8F9726789h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3888AA second address: 3888B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3888B0 second address: 3888D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC8F9726783h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FC8F9726776h 0x00000015 jne 00007FC8F9726776h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 388BCA second address: 388BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FC8F8BFA36Ch 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 388BDF second address: 388BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38CDF8 second address: 38CDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38CDFC second address: 38CE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC8F972677Ah 0x0000000f push edi 0x00000010 jmp 00007FC8F9726787h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38C36F second address: 38C373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38C373 second address: 38C379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38C379 second address: 38C39E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FC8F8BFA373h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38C39E second address: 38C3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39288B second address: 392895 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC8F8BFA366h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 392895 second address: 3928A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3928A1 second address: 3928A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39126F second address: 391281 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FC8F9726778h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39161B second address: 39161F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39161F second address: 39163C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC8F9726776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC8F9726781h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39163C second address: 391662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Bh 0x00000007 push ebx 0x00000008 jp 00007FC8F8BFA366h 0x0000000e jns 00007FC8F8BFA366h 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jc 00007FC8F8BFA393h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 391961 second address: 391965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 391965 second address: 391999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA373h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FC8F8BFA375h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D96E second address: 33D974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D974 second address: 33D98F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FC8F8BFA366h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FC8F8BFA36Ch 0x00000015 je 00007FC8F8BFA366h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33D98F second address: 33D995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 399EA3 second address: 399EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 399EA9 second address: 399EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FC8F972677Eh 0x0000000a jl 00007FC8F972677Eh 0x00000010 jng 00007FC8F9726776h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007FC8F9726788h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 397E6E second address: 397E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC8F8BFA366h 0x0000000a jp 00007FC8F8BFA366h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398044 second address: 398048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398048 second address: 3980A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA379h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FC8F8BFA384h 0x0000000f jmp 00007FC8F8BFA378h 0x00000014 jnp 00007FC8F8BFA366h 0x0000001a jnc 00007FC8F8BFA36Ah 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC8F8BFA36Dh 0x00000027 jg 00007FC8F8BFA366h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398527 second address: 398533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FC8F9726776h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398533 second address: 398537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398537 second address: 39853D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39853D second address: 398568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FC8F8BFA393h 0x0000000e jbe 00007FC8F8BFA379h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398568 second address: 39856C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398836 second address: 39884E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FC8F8BFA373h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 398B4C second address: 398B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3990B2 second address: 3990B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 39937C second address: 399388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC8F9726776h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A36E5 second address: 3A36E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A36E9 second address: 3A36EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A36EF second address: 3A373B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FC8F8BFA36Ch 0x00000010 push eax 0x00000011 pop eax 0x00000012 jbe 00007FC8F8BFA366h 0x00000018 popad 0x00000019 je 00007FC8F8BFA37Ch 0x0000001f jmp 00007FC8F8BFA374h 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A2A0D second address: 3A2A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F972677Eh 0x00000009 jbe 00007FC8F9726776h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A2A26 second address: 3A2A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8F8BFA36Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A2E65 second address: 3A2E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3A33F2 second address: 3A3404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ACEDB second address: 3ACEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ACEDF second address: 3ACF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA36Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FC8F8BFA36Ah 0x00000011 js 00007FC8F8BFA366h 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AB0BA second address: 3AB0D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F9726783h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AB0D1 second address: 3AB106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA375h 0x00000007 pushad 0x00000008 jmp 00007FC8F8BFA375h 0x0000000d jng 00007FC8F8BFA366h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AB106 second address: 3AB11D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC8F972677Ah 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AB11D second address: 3AB123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AB123 second address: 3AB12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AB9F7 second address: 3ABA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jne 00007FC8F8BFA366h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ABA09 second address: 3ABA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC8F9726776h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007FC8F9726776h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ABA1E second address: 3ABA2C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC8F8BFA366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ABD08 second address: 3ABD0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ABD0D second address: 3ABD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA374h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3ABFA5 second address: 3ABFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3AC64B second address: 3AC64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B10A5 second address: 3B10AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B10AE second address: 3B10C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC8F8BFA372h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B10C8 second address: 3B10CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B0F00 second address: 3B0F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B0F06 second address: 3B0F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B3F25 second address: 3B3F47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Dh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC8F8BFA36Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B411F second address: 3B4123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3B4123 second address: 3B4127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C04FF second address: 3C0503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C0503 second address: 3C0518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FC8F8BFA36Ch 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C7B3E second address: 3C7B4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F972677Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C7B4F second address: 3C7B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C7B55 second address: 3C7B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FC8F9726776h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C7B60 second address: 3C7B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3C782D second address: 3C784A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F9726786h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D541B second address: 3D541F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D8F0D second address: 3D8F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC8F9726776h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D8F19 second address: 3D8F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FC8F8BFA373h 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D8F33 second address: 3D8F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F972677Fh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3D8F48 second address: 3D8F62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA376h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E0558 second address: 3E055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DEE10 second address: 3DEE14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DEE14 second address: 3DEE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DEE1A second address: 3DEE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC8F8BFA376h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DEF96 second address: 3DEF9B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DF26A second address: 3DF2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA375h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC8F8BFA379h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DF2A1 second address: 3DF2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E0267 second address: 3E026B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E381E second address: 3E3823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E3823 second address: 3E3841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8F8BFA378h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E3841 second address: 3E3845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E3845 second address: 3E384B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E384B second address: 3E3855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E6232 second address: 3E6244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FC8F8BFA36Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EFA0F second address: 2EFA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3E5F96 second address: 3E5F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3EA50D second address: 3EA513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3EA513 second address: 3EA568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FC8F8BFA370h 0x00000011 jmp 00007FC8F8BFA372h 0x00000016 jg 00007FC8F8BFA366h 0x0000001c jne 00007FC8F8BFA366h 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jne 00007FC8F8BFA366h 0x0000002e jo 00007FC8F8BFA366h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3EA568 second address: 3EA56E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F76C1 second address: 3F76D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC8F8BFA36Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F76D8 second address: 3F7707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F9726784h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FC8F9726776h 0x0000000f jmp 00007FC8F9726781h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F7707 second address: 3F770B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3F448E second address: 3F4492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 403DEA second address: 403DF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 40391A second address: 403921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 403AD8 second address: 403ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 403ADE second address: 403B24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F9726786h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007FC8F9726784h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC8F9726781h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 403B24 second address: 403B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41C6E6 second address: 41C714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jbe 00007FC8F9726776h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FC8F9726776h 0x00000017 jmp 00007FC8F9726787h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41CB2B second address: 41CB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41CDF0 second address: 41CE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC8F972677Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41CE02 second address: 41CE07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41D0AC second address: 41D0C4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8F9726776h 0x00000008 je 00007FC8F9726776h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007FC8F972677Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41D25D second address: 41D269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC8F8BFA378h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ECEF second address: 41ECF9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC8F972677Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ECF9 second address: 41ED29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FC8F8BFA377h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC8F8BFA36Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED29 second address: 41ED41 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC8F972677Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED41 second address: 41ED45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42172A second address: 42174F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8F9726776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC8F9726786h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42174F second address: 421759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 421A82 second address: 421ACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d jmp 00007FC8F9726786h 0x00000012 popad 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D2426h], ebx 0x0000001a mov dword ptr [ebp+122D1D21h], edx 0x00000020 push dword ptr [ebp+122D1DDCh] 0x00000026 mov edx, ecx 0x00000028 call 00007FC8F9726779h 0x0000002d jo 00007FC8F9726794h 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 421ACD second address: 421AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8F8BFA376h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 421AEF second address: 421AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 421AF3 second address: 421B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F8BFA36Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 423142 second address: 423166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8F972677Ah 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnc 00007FC8F9726776h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push esi 0x0000001b pop esi 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53B0C05 second address: 53B0C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53B0C09 second address: 53B0C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53B0C0D second address: 53B0C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53B0C13 second address: 53B0C51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC8F9726782h 0x00000008 pop ecx 0x00000009 mov ecx, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007FC8F97267F2h 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007FC8F9726789h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 183B12 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 183C0D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3B5BEB instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7044	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1320	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2203584874.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2202869594.000000000138E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: file.exe, 00000000.00000002.2203445844.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: file.exe, 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00165BB0 LdrInitializeThunk,

0_2_00165BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: HProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
eaglepawnoy.store	18%	Virustotal	Browse
spirittunek.store	14%	Virustotal	Browse
mobbipenju.store	14%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse
dissapoiznw.store	14%	Virustotal	Browse
bathdoomgaz.store	14%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	0%	Virustotal		Browse
clearancek.site	18%	Virustotal		Browse
licendfilteo.site	16%	Virustotal		Browse
https://steamcommunity.com/7&	0%	Virustotal		Browse
https://sketchfab.com	0%	Virustotal		Browse
https://licendfilteo.site:443/api	17%	Virustotal		Browse
http://127.0.0.1:27060	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	0%	Virustotal		Browse
https://steamcommunity.com	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://clearancek.site:443/apii	5%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	0%	Virustotal		Browse
https://spirittunek.store:443/api	18%	Virustotal		Browse
https://www.google.com/recaptcha/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	Virustotal		Browse
https://steamcommunity.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	false	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	false	14%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	false	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true	16%, Virustotal, Browse	unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000002.2203584874.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.youtube.com	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://licendfilteo.site:443/api	file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	true	17%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/7&	file.exe, 00000000.00000003.2200222126.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2203445844.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sketchfab.com	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://clearancek.site:443/apii	file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	true	5%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spirittunek.store:443/api	file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.2200584013.000000000141F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2202869594.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000002.2203584874.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200192338.0000000001455000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200397550.0000000001413000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900gO	file.exe, 00000000.00000002.2203445844.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2200222126.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2200192338.000000000145B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528628
Start date and time:	2024-10-08 05:26:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:27:08	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	7AeSqNv1rC.exe	Get hash	malicious	MicroClip, Vidar	Browse	104.102.49.254
	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
	j8zJ5Jwja4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	7AeSqNv1rC.exe	Get hash	malicious	MicroClip, Vidar	Browse	104.102.49.254
	j8zJ5Jwja4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	23.47.168.24
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Copyright_Infringement_Evidence.exe	Get hash	malicious	Unknown	Browse	96.17.64.189
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SteamCleanz Marlborough Limited.xlsx	Get hash	malicious	Unknown	Browse	104.102.49.254
	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	j8zJ5Jwja4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ctMI3TYXpX.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950519526759209
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'878'528 bytes
MD5:	dbb2a8b4b3407d25e9d79d7d1acefbf9
SHA1:	7aa9ca07cffa6d3363b4747dd096848ba8607642
SHA256:	c84a4857c8a3ac287f538316ebb0dde2946436654b192d97ce00bf68d5b12b3f
SHA512:	b6367e773565ee26cc5345274c7e636b065617f98f0d2d03a9437b7cbc4ed45256074be448a124dda9644ca33bbee181177a06940cf26e5f8dbf1aa8026b4247
SSDEEP:	49152:ZgSIwQEHBWs4pkWjLpWxKDgVOLJnCFf5FqIPl:Zgg/P4n3AKfn8Fz
TLSH:	C695333F4F1AF5FBD4688D794D92360FD050F68291CFA66D19C46A68A7BF8A45320C38
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f............................. K...........@..........................PK...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FC8F965BABAh
js 00007FC8F965BAD2h
add byte ptr [eax], al
jmp 00007FC8F965DAB5h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	c3797000a06c956d40ea785f274ac89d	False	0.9994069719471947	data	7.975619384909993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2af000	0x200	e57c4ee64f38806ac212980efe235adc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vwvuroap	0x30f000	0x1a2000	0x1a1200	43ed9b30ce3b69e66acb78c9cb41fb65	False	0.9942688043152532	data	7.95444617010904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
oqopovqr	0x4b1000	0x1000	0x400	63130fd9b1a5e0d4ae7cec2600b28d75	False	0.81640625	data	6.347408132882363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b2000	0x3000	0x2200	d34f636a68ac23fc33b87e2805946c00	False	0.06433823529411764	DOS executable (COM)	0.8244988145696629	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T05:27:09.507600+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.6	61802	1.1.1.1	53	UDP
2024-10-08T05:27:09.519409+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.6	56176	1.1.1.1	53	UDP
2024-10-08T05:27:09.529820+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.6	60079	1.1.1.1	53	UDP
2024-10-08T05:27:09.540715+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.6	53271	1.1.1.1	53	UDP
2024-10-08T05:27:09.551294+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.6	61156	1.1.1.1	53	UDP
2024-10-08T05:27:09.561128+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.6	58093	1.1.1.1	53	UDP
2024-10-08T05:27:09.572303+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.6	58040	1.1.1.1	53	UDP
2024-10-08T05:27:09.582042+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.6	55578	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 05:27:09.604841948 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:09.604948997 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:09.605041027 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:09.607498884 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:09.607541084 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.256411076 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.256628990 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.258858919 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.258891106 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.259413004 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.300421953 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.301165104 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.343487024 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718600988 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718661070 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718704939 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718704939 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.718724012 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718786955 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718821049 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.718852997 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.718852997 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.718852997 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.718889952 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.718889952 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.798383951 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.798465967 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.798492908 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.798650026 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.798650026 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.830425978 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.830425978 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 05:27:10.830511093 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 05:27:10.830544949 CEST	443	49713	104.102.49.254	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 05:27:09.507600069 CEST	61802	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.515974998 CEST	53	61802	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.519408941 CEST	56176	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.527693987 CEST	53	56176	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.529819965 CEST	60079	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.538259029 CEST	53	60079	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.540714979 CEST	53271	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.549185038 CEST	53	53271	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.551294088 CEST	61156	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.560026884 CEST	53	61156	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.561127901 CEST	58093	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.569812059 CEST	53	58093	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.572303057 CEST	58040	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.581011057 CEST	53	58040	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.582041979 CEST	55578	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.590873003 CEST	53	55578	1.1.1.1	192.168.2.6
Oct 8, 2024 05:27:09.594364882 CEST	65184	53	192.168.2.6	1.1.1.1
Oct 8, 2024 05:27:09.601202011 CEST	53	65184	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 05:27:09.507600069 CEST	192.168.2.6	1.1.1.1	0xdbd6	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.519408941 CEST	192.168.2.6	1.1.1.1	0x2d3e	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.529819965 CEST	192.168.2.6	1.1.1.1	0x3718	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.540714979 CEST	192.168.2.6	1.1.1.1	0x3fd0	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.551294088 CEST	192.168.2.6	1.1.1.1	0x27fd	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.561127901 CEST	192.168.2.6	1.1.1.1	0xffdd	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.572303057 CEST	192.168.2.6	1.1.1.1	0x31ca	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.582041979 CEST	192.168.2.6	1.1.1.1	0xd457	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.594364882 CEST	192.168.2.6	1.1.1.1	0xd15	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 05:27:09.515974998 CEST	1.1.1.1	192.168.2.6	0xdbd6	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.527693987 CEST	1.1.1.1	192.168.2.6	0x2d3e	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.538259029 CEST	1.1.1.1	192.168.2.6	0x3718	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.549185038 CEST	1.1.1.1	192.168.2.6	0x3fd0	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.560026884 CEST	1.1.1.1	192.168.2.6	0x27fd	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.569812059 CEST	1.1.1.1	192.168.2.6	0xffdd	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.581011057 CEST	1.1.1.1	192.168.2.6	0x31ca	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.590873003 CEST	1.1.1.1	192.168.2.6	0xd457	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 05:27:09.601202011 CEST	1.1.1.1	192.168.2.6	0xd15	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	104.102.49.254	443	6220	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 03:27:10 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 03:27:10 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 03:27:10 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=83d866c968fb26d98cc1ae39; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 03:27:10 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 03:27:10 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	0
Start time:	23:27:05
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x120000
File size:	1'878'528 bytes
MD5 hash:	DBB2A8B4B3407D25E9D79D7D1ACEFBF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.8%
Total number of Nodes:	45
Total number of Limit Nodes:	5

Executed Functions

Function 001650FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00165182

Strings

<I$), xrefs: 00165198
@^, xrefs: 00165120
<I$), xrefs: 001652E3

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 8be120bb829442b2f3a6bb60e26d8b8038d72cb3c4565ad5cdf14ddb2b928582
Instruction ID: be2ff1cd48d255adf79dac17b18512d83fa14e080545e649a523719f0a6d9940
Opcode Fuzzy Hash: 8be120bb829442b2f3a6bb60e26d8b8038d72cb3c4565ad5cdf14ddb2b928582
Instruction Fuzzy Hash: 57219D351083848FD300DF68D89072AB7F5AB6A304F69482CE1C9D7362D776D9958B56

Function 0012FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 0012FEDC
VY^_, xrefs: 0012FDFF
t, xrefs: 0012FCBE
J|BJ, xrefs: 0013000D

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 00d9e5b8023198d82b9007fdac67db8745e5003a86602df0cce3367a3d35255b
Instruction ID: 5647d1dab6bde2e00a8e2117fb3c0a5e139f09644ba6ee7f34151c79229bb3e1
Opcode Fuzzy Hash: 00d9e5b8023198d82b9007fdac67db8745e5003a86602df0cce3367a3d35255b
Instruction Fuzzy Hash: 99D1787550C3909BD316DF1495A062FBBF1AB96B44F18882CF4C98B262D336CD4ADB92

Function 0012D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0012D2F1

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d54af06d3c050cd8c8c14fa06ace6253f15d161f76febf0106bb6e27bf439fac
Instruction ID: a0077e8e5767a61f4358fbefebf5051a7fe87350a8dcf63817d1d3915ff9a8e4
Opcode Fuzzy Hash: d54af06d3c050cd8c8c14fa06ace6253f15d161f76febf0106bb6e27bf439fac
Instruction Fuzzy Hash: 3841467440D390ABD301BB68E595A2EFBF5AF62705F148C0CE5C497212C336D824DB67

Function 00165BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0016973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00165BDE

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0016695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 001669C5

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a8d60e030b34eb299dad28bd10c3c6350b12a1c604beb064f2821fc7bdab7848
Instruction ID: d7db176e362a9073bf367c534ffea7affb282cd81ed0268104fe39abc001293e
Opcode Fuzzy Hash: a8d60e030b34eb299dad28bd10c3c6350b12a1c604beb064f2821fc7bdab7848
Instruction Fuzzy Hash: 243198B05183019FD718DF14C8A062AB7F2EF95348F48881CE5C6A72A1E7749964CB56

Function 0013049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff565026fc5949e7c687392450111e7aa36fc0cefe37fb9f03191004af9f0ac
Instruction ID: b4073836165ab05cdf86bf7079da7e8a0a4e60a551a0230ff9d1ed2ee424d411
Opcode Fuzzy Hash: fff565026fc5949e7c687392450111e7aa36fc0cefe37fb9f03191004af9f0ac
Instruction Fuzzy Hash: A8917A75200B00DFD724CF25EC94A26B7F6FF89310F118A6CE8568BAA1D771E856CB50

Function 00130228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e66d3b950a232ff30c9ccc8fde6a93a8980729a13db5b9b1282b82cd4af5f95
Instruction ID: bbf3780cc38038012262a971e724858ae48fc611f45b8305bec55454d6cba4a3
Opcode Fuzzy Hash: 8e66d3b950a232ff30c9ccc8fde6a93a8980729a13db5b9b1282b82cd4af5f95
Instruction Fuzzy Hash: 5B716875204700DFD7258F20EC94B26B7F6FF49315F11896CE89A8BA62C771A856CB50

Function 001699D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a9f9a2101aaac9824e8cae62d2a9c382e45b8ea098ddbe5ec425671050c914
Instruction ID: 6981215281c12b0fc72de175753d8c41e497e54b8a7d7e5712689fdadf23bba0
Opcode Fuzzy Hash: 79a9f9a2101aaac9824e8cae62d2a9c382e45b8ea098ddbe5ec425671050c914
Instruction Fuzzy Hash: 9F419A34208300ABDB149A55ED90F2FB7FAEB85754F64882CE58A9B251D371E861CB62

Function 001663B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9accc2c0692321e06c1848d31dc8263926a1792a96634b0d4d2ba39e65f45f9
Instruction ID: ed37b5ace9d1b0ac023348faa78a54d371dd6a9771ae26338d95dcde6b795077
Opcode Fuzzy Hash: f9accc2c0692321e06c1848d31dc8263926a1792a96634b0d4d2ba39e65f45f9
Instruction Fuzzy Hash: 7631D270649301BAD728DB04CD82F3AB7B6FB90B55FA4890CF6C55B2E1D770A8618B52

Function 00130EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5040d8341c26136111e1a41420acf07b65f36a1240d661fe6845b2a8c11352
Instruction ID: 9b9f289d576e6e7f5d3d94fab36d47ced803d6f1bb2f61709b7dbb1def467bd9
Opcode Fuzzy Hash: 5d5040d8341c26136111e1a41420acf07b65f36a1240d661fe6845b2a8c11352
Instruction Fuzzy Hash: 312139B490022A9FDB15CF94CCA0BBEBBB5FB4A304F144848E411BB292C735A941CB64

Function 00163220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 001632A6

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9d5a0b7523b11fa66275b11f9ae4d1921e5a51c3cae24266dc81b790b5493097
Instruction ID: e02c4e593323cadadc6aa4101e7f342a67531121ed46db0491f164b2abd832d3
Opcode Fuzzy Hash: 9d5a0b7523b11fa66275b11f9ae4d1921e5a51c3cae24266dc81b790b5493097
Instruction Fuzzy Hash: 4701693450D2509BC711EF18E895A2ABBF8EF5AB00F05881CE5C98B361D335DDA4DBA2

Function 00163202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00163208

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f442e66b671c3ffce9a2d823d4bbc708a73d70def260ed7dacbe203190f8fb5b
Instruction ID: fa6338b62b19e697da571eca455ff3f4ab338ddfdee987aade0b859e310f22da
Opcode Fuzzy Hash: f442e66b671c3ffce9a2d823d4bbc708a73d70def260ed7dacbe203190f8fb5b
Instruction Fuzzy Hash: DAB012300400005FDA081B00FC0BF003530EF00609F800050A104040B1D56158E4C554

Non-executed Functions

Function 001523E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

3<, xrefs: 001532D6
f@~!, xrefs: 001525FF
mlc@, xrefs: 0015275C
`tii, xrefs: 00152693
%*+(, xrefs: 001540EF
#v, xrefs: 0015344B, 00154861
fedc, xrefs: 00152782
{l`~, xrefs: 0015268C
:, xrefs: 001532DD
ggxz, xrefs: 00152685
aenQ, xrefs: 0015276A
Cx, xrefs: 0015453D
|}&C, xrefs: 00152F21

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
API String ID: 0-2260822535
Opcode ID: 87e9b7f3b13cbe753c0d5f408ce3aaf2ea25b1ba9ea79cd6a2a7c4182f22387f
Instruction ID: 131d94be5227b7ae787e1311b9f4b233d71e12f1341d12503ff72b212e8a6487
Opcode Fuzzy Hash: 87e9b7f3b13cbe753c0d5f408ce3aaf2ea25b1ba9ea79cd6a2a7c4182f22387f
Instruction Fuzzy Hash: B233BD70504B81CBD7258F38C590762BBF1BF16305F58499DD8EA8FA92C735E84ACBA1

Function 0013DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

`Y^_, xrefs: 0013E99E
mjkh, xrefs: 0013E7D8
WP, xrefs: 0013DCEF
lkji, xrefs: 0013E73E
DCBA, xrefs: 0013E887, 0013E896
xgfe, xrefs: 0013E71D
()./, xrefs: 0013E9CA
`onm, xrefs: 0013E733
QNOL, xrefs: 0013E775
89>?, xrefs: 0013E9F6
tuJK, xrefs: 0013E967
@ONM, xrefs: 0013E6DB
dcba, xrefs: 0013E728
AR, xrefs: 0013DD10
|, xrefs: 0013ECB1
89&', xrefs: 0013E93B
<=:;, xrefs: 0013E930
LKJI, xrefs: 0013E6E6
T, xrefs: 0013F157
%*+(, xrefs: 0013DE37, 0013DE46
D, xrefs: 0013E846
:WUE, xrefs: 0013F6B7, 0013F6C6
tsrq, xrefs: 0013E6FC
<=2, xrefs: 0013EA01

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: fb6b5597d1201c054c6e3076b435d9706081e0e5dfb33c7f13ac1d1223a23400
Instruction ID: 53b7541b7767be055c2b40fcc059537540026e8f0146ff804bf715b781c67c23
Opcode Fuzzy Hash: fb6b5597d1201c054c6e3076b435d9706081e0e5dfb33c7f13ac1d1223a23400
Instruction Fuzzy Hash: 8CF287B05083819FD774CF14D894BABBBE6BFD5304F54482CE4C98B292EB719895CB92

Function 00149F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

JG, xrefs: 0014AA27
=], xrefs: 0014A36A
/), xrefs: 0014A66D
N[, xrefs: 0014A375
WH, xrefs: 0014AA1C
]{, xrefs: 0014A1E7, 0014A1F3
CG, xrefs: 0014AA32
?m,o, xrefs: 0014A13C
sm, xrefs: 0014A830
kW, xrefs: 0014A380
%e6g, xrefs: 0014A152
WQ, xrefs: 0014A62B
(a*c, xrefs: 0014A147
hi, xrefs: 0014AB9D
_Y, xrefs: 0014A641
Gt, xrefs: 00149FF8
S], xrefs: 0014A636

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: ad2ed0c50a747a7de6adfd7adb87de53759950c855e874027ad4597173e9de7b
Instruction ID: 69e713b804c05d8e2a51c0a29761d9cb3e0c781ad6a2b81f68cdf57b1b3ad92f
Opcode Fuzzy Hash: ad2ed0c50a747a7de6adfd7adb87de53759950c855e874027ad4597173e9de7b
Instruction Fuzzy Hash: 5752B6B854D385CAE270CF25D581B8EBAF1BB92740F608A1DE1ED9B255DBB08045CF93

Function 00149510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

G'M!, xrefs: 00149ADB
pq, xrefs: 001499E0
L3Y=, xrefs: 00149B03
?M0K, xrefs: 00149968
B7U1, xrefs: 00149AFB
,A&C, xrefs: 0014982E
!E4G, xrefs: 00149836
G+X5, xrefs: 00149AF3
B?Q9, xrefs: 00149B0B
z=Q?, xrefs: 00149826
;IJK, xrefs: 0014983E
X/R), xrefs: 00149AEB
2A"_, xrefs: 00149980
T#a-, xrefs: 00149AE3
8;, xrefs: 00149B13
O+f), xrefs: 00149634, 0014963D

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: fd5b342ee97f82c72cbaac5c14db1c0b61987e1518992d004babbf578948321b
Instruction ID: ef671cf319a1ccf6543fb0472c8f2bb7f467af3417cdc7b701579f7b12bc636d
Opcode Fuzzy Hash: fd5b342ee97f82c72cbaac5c14db1c0b61987e1518992d004babbf578948321b
Instruction Fuzzy Hash: 09F140B4508380ABD310DF15D881A2BBBF4FB9AB48F144D1CF5D99B262D374D948CB96

Function 0014DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

<Y.[, xrefs: 0014E27D
)IgK, xrefs: 0014E261
upH}, xrefs: 0014DE8A, 0014E798, 0014DF4A
n\+H, xrefs: 0014DDC0
,Q?S, xrefs: 0014E26F
hX]N, xrefs: 0014DDC7
%*+(, xrefs: 0014E143
Y9N;, xrefs: 0014E245
{E, xrefs: 0014E323
=]+_, xrefs: 0014E276
-M2O, xrefs: 0014E25A

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: 7b3549a66346fbd946c51d843ab8b0233020c7c446211ee6b788a60555afe88d
Instruction ID: f406af392e632b253c89ee374910ef56d441cb6f7b781a7bb1a15ca46c43af25
Opcode Fuzzy Hash: 7b3549a66346fbd946c51d843ab8b0233020c7c446211ee6b788a60555afe88d
Instruction Fuzzy Hash: 4B92F271E00215DFDB18CF68D8516AEBBF2FF49310F298168E456AB3A1D735AD41CB90

Function 0014098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

,#15, xrefs: 00140F94
%*+(, xrefs: 00140A77, 00140A86
gce/, xrefs: 00141073
qrqp, xrefs: 00141089
{, xrefs: 00141502
cah`, xrefs: 0014107E
9.5^, xrefs: 00140F9F
&> &, xrefs: 00140F89

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: fe0371fbb32775001b31f6f945d79c200f72196326cb90645c17c899b1fd1a4d
Instruction ID: 59a416699fea75ab267fe8d1c87099e913ba98ba50c959fea05cccd2610ac824
Opcode Fuzzy Hash: fe0371fbb32775001b31f6f945d79c200f72196326cb90645c17c899b1fd1a4d
Instruction Fuzzy Hash: 0A6299B56083818BD730CF14D891BABB7F1FF9A314F08492DE49A8B651E3759984CB93

Function 00121000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00121587, 001215F8
0123456789ABCDEFXP, xrefs: 0012157D, 001215EB
@, xrefs: 00122C40
-, xrefs: 001221ED
gfff, xrefs: 001222E1
gfff, xrefs: 00122297
gfff, xrefs: 00122226

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: cfff460ee03c7edc87263d11787a70afad1571798e687f3fc32ee097a9fe781f
Instruction ID: e266623f9999677f28beacc760e35bdd3653b66754f7d06b838cc449a83c5268
Opcode Fuzzy Hash: cfff460ee03c7edc87263d11787a70afad1571798e687f3fc32ee097a9fe781f
Instruction Fuzzy Hash: 2ED224316083619FC718CE28D49036EBBE2AFD9314F198A2DE499C7391D778DD55CB82

Function 002FBBAE Relevance: 10.3, Strings: 7, Instructions: 1588COMMON

Download Yara Rule

Strings

[dzt, xrefs: 002FC644
1b=j, xrefs: 002FCDC7
1b=j, xrefs: 002FCDA1
+7_, xrefs: 002FBD85
'7];, xrefs: 002FC5F7
[dzt, xrefs: 002FC652
x;W, xrefs: 002FBC6D

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: '7];$+7_$1b=j$1b=j$[dzt$[dzt$x;W
API String ID: 0-1141909480
Opcode ID: d0aa31b8265f0f05d122997180347605c418cc0eddce2ab8deddaa684d78efad
Instruction ID: a3055a8b6d3db244ff5fc745757b078f11e301466c5ec59b3e08f426e154373c
Opcode Fuzzy Hash: d0aa31b8265f0f05d122997180347605c418cc0eddce2ab8deddaa684d78efad
Instruction Fuzzy Hash: 82B228F3A0C2049FE3046E2DEC8567ABBE5EF94720F1A493DEAC5C7344E63598058697

Function 002F8BF8 Relevance: 9.8, Strings: 7, Instructions: 1096COMMON

Download Yara Rule

Strings

4+{}, xrefs: 002F91D3
gzs, xrefs: 002F94F8
$B?, xrefs: 002F8DC0
qt', xrefs: 002F9787
QB?, xrefs: 002F8DA5
r5w, xrefs: 002F8F3F
4+{}, xrefs: 002F97F3, 002F9808, 002F9831, 002F9890

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: $B?$4+{}$4+{}$QB?$gzs$qt'$r5w
API String ID: 0-120531579
Opcode ID: b5aa78b8febf38af631f1460b1d40431729f11fb38ad7d03c436c6a78eeac962
Instruction ID: 2c4f287d048e665409760ab2a40d160d0581273459a347067660812ede1b3af9
Opcode Fuzzy Hash: b5aa78b8febf38af631f1460b1d40431729f11fb38ad7d03c436c6a78eeac962
Instruction Fuzzy Hash: 507207F36082049FE3046E2DEC8576AFBE9EF94724F1A853DEAC4C3744E63598158693

Function 002F35CF Relevance: 9.0, Strings: 6, Instructions: 1510COMMON

Download Yara Rule

Strings

!nz, xrefs: 002F3949
;|xk, xrefs: 002F4137
6R_y, xrefs: 002F3E75
KfE, xrefs: 002F41E9
2Wfu, xrefs: 002F44F3
'4k, xrefs: 002F421E

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: !nz$'4k$2Wfu$6R_y$;|xk$KfE
API String ID: 0-511210964
Opcode ID: 568706a0b563d62bd05da316a787fd23f74b7f9f30f37cf75f7f3a20744e2c90
Instruction ID: 8c8e5e0e241b82f79624bc435f14e0b3feefefc63f229fcff087890484221d49
Opcode Fuzzy Hash: 568706a0b563d62bd05da316a787fd23f74b7f9f30f37cf75f7f3a20744e2c90
Instruction Fuzzy Hash: 12A2F5F360C2049FE3046E2DEC8566AFBE5EFD8720F1A8A3DE6C487744E63558158693

Function 002FD5F3 Relevance: 7.9, Strings: 5, Instructions: 1614COMMON

Download Yara Rule

Strings

~s./, xrefs: 002FE897
s[', xrefs: 002FDF0C
nAi, xrefs: 002FDE08
S1~, xrefs: 002FE0FE
S??[, xrefs: 002FD844

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: S1~$S??[$nAi$~s./$s['
API String ID: 0-4185961207
Opcode ID: a6a020fb9ec10d8e2d5c59b1f60406d82db08e174ae6f17a022e0dc6b74ef048
Instruction ID: 5bdea3970121212c86d4fac4bd6bc0c58a4b91d230c900bddd035319bc438a7e
Opcode Fuzzy Hash: a6a020fb9ec10d8e2d5c59b1f60406d82db08e174ae6f17a022e0dc6b74ef048
Instruction Fuzzy Hash: DFB206F3A0C2049FE304AE2DEC8577ABBE5EF94720F1A853DEAC4C7744E63558058696

Function 002EE37B Relevance: 7.9, Strings: 5, Instructions: 1612COMMON

Download Yara Rule

Strings

\Z', xrefs: 002EE79B
CjT, xrefs: 002EEDE1
9S?v, xrefs: 002EF05F
Kx3}, xrefs: 002EEC48
eqfz, xrefs: 002EE75F

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 9S?v$CjT$Kx3}$\Z'$eqfz
API String ID: 0-1961263869
Opcode ID: 922cfc8a7f2af93abba90aed37b44ed41fb4ae6e44df6522295c9664fe17455e
Instruction ID: 46f58f09985d2f6625f695dd012fb77e91242dc41712008126f2ffde685843c3
Opcode Fuzzy Hash: 922cfc8a7f2af93abba90aed37b44ed41fb4ae6e44df6522295c9664fe17455e
Instruction Fuzzy Hash: D5B2E5F360C2009FE304AE29DC8567AFBE5EF94720F1A893DEAC4C7744E63598458697

Function 001212F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 0012243E
0, xrefs: 00121DC1
0, xrefs: 00121E88
@, xrefs: 00123531
i, xrefs: 001228EA

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 0f4ec3652fad096a8df625aa98281768bd37a95b8e1978ab3a7b774979406e0f
Instruction ID: 71975c81828a8135bd97ef30d41feea6e3e2c699555fc6569ce6f8dc1cedff1c
Opcode Fuzzy Hash: 0f4ec3652fad096a8df625aa98281768bd37a95b8e1978ab3a7b774979406e0f
Instruction Fuzzy Hash: C762F17160C3A1AFC319CF28D49076EBBE1AFD5304F188A2DE8D987291D774D959CB82

Function 0012164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00121659
0123456789ABCDEFXP, xrefs: 0012164F
+, xrefs: 00121573
gfff, xrefs: 00121F3C
gfff, xrefs: 00121F57

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 0196a7fad1f592ddc0aad44d7248ca1a3d314ee9c6937c625efdc192e4f0cc10
Instruction ID: 3bb192a3fa2fb1964e22919591410c330b21348595a65b7eeeccecb5c8778845
Opcode Fuzzy Hash: 0196a7fad1f592ddc0aad44d7248ca1a3d314ee9c6937c625efdc192e4f0cc10
Instruction Fuzzy Hash: 6BF1BD3160C3A19FC719CE28D48426EFBE2AFD9304F188A6DE4D987352D774D958CB92

Function 002FA07B Relevance: 6.6, Strings: 4, Instructions: 1648COMMON

Download Yara Rule

Strings

>A_, xrefs: 002FA889
bq~, xrefs: 002FB0E8
!#{y, xrefs: 002FA134
rs^~, xrefs: 002FA16F

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: !#{y$>A_$bq~$rs^~
API String ID: 0-2888551597
Opcode ID: 29e3233baf9dbefe403fb1aaba4f397ebcf980a359e009546fa2dadbcff9c562
Instruction ID: 948b60f5f7cb8aed3ef31ac63d70939c873cef4074b31d110a4157a759afc144
Opcode Fuzzy Hash: 29e3233baf9dbefe403fb1aaba4f397ebcf980a359e009546fa2dadbcff9c562
Instruction Fuzzy Hash: 71B229F36086049FE304AE2DEC8567AFBE9EF94720F1A453DE6C5C3744E63598018697

Function 001213A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 001213AD
-, xrefs: 00121F23
0123456789ABCDEFXP, xrefs: 001213A3
gfff, xrefs: 00121F3C
gfff, xrefs: 00121F57

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: b23ed300c68187d601f0a9289b90531d55b7e1e509d329fa8f91d7ce5e1b8d45
Instruction ID: c6d03d8f8dce1c69c88846bef4f1b0c77884bb0ab02e0968f47da944257ac84d
Opcode Fuzzy Hash: b23ed300c68187d601f0a9289b90531d55b7e1e509d329fa8f91d7ce5e1b8d45
Instruction Fuzzy Hash: CAD1AD3160C7919FC719CE29D48026AFBE2AFD9308F08CA6DE4D987352D334D949CB92

Function 002F029B Relevance: 6.3, Strings: 4, Instructions: 1334COMMON

Download Yara Rule

Strings

W, xrefs: 002F0F19
4C_|, xrefs: 002F113D
\[v{, xrefs: 002F06FE
$wz, xrefs: 002F0A32

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: $wz$4C_|$\[v{$W
API String ID: 0-1542807734
Opcode ID: 1bb0b53160c5db8d58fa400e8205482ce3ec4592822383bfbe6f45b9b8fe95ac
Instruction ID: 5aad179ca602d22633447293a751ee35a24a94717a86458b6752ca20868272e9
Opcode Fuzzy Hash: 1bb0b53160c5db8d58fa400e8205482ce3ec4592822383bfbe6f45b9b8fe95ac
Instruction Fuzzy Hash: 0F924CF360C2049FE3046E69EC8567BFBE9EB94320F16463DEAC5C7744EA3558058693

Function 002F5630 Relevance: 6.2, Strings: 4, Instructions: 1168COMMON

Download Yara Rule

Strings

&nwo, xrefs: 002F575F
7, xrefs: 002F5DE7
f:, xrefs: 002F5671
7, xrefs: 002F5DF4

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 7$ 7$&nwo$f:
API String ID: 0-286901326
Opcode ID: 6a921525da286b2bfb30770d8310fbade6afa9889c4cc732b6d55f63eaa92f7b
Instruction ID: 8b5ad42add982e99b29c9c253cdea1f3bd72e2af1ae09e141d8ca103e0efbd99
Opcode Fuzzy Hash: 6a921525da286b2bfb30770d8310fbade6afa9889c4cc732b6d55f63eaa92f7b
Instruction Fuzzy Hash: D1725BF3A08204AFE7046E2DEC8577AF7E9EF94760F1A863DE6C4C3744E63598058652

Function 0014FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

:, xrefs: 00150087
uvw, xrefs: 0014FE95
NA_I, xrefs: 0015036D
m1s3, xrefs: 0014FEC3, 0014FECB

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 14021dbf22d3faa2fdd172f6a653cbbeb9751ce7ff30be6d940eff7e2b03fd12
Instruction ID: 0172d8ade5a662ca721295d2b457cc03a0da6d6e92d54a5f4a07a4091cc2c695
Opcode Fuzzy Hash: 14021dbf22d3faa2fdd172f6a653cbbeb9751ce7ff30be6d940eff7e2b03fd12
Instruction Fuzzy Hash: 3532CCB0508380DFD311DF68D881A2ABBF5BB99341F14492CF9E58B292D335D999CF92

Function 00133BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00133EC4
ss, xrefs: 00133C79
p, xrefs: 00133C80
;z, xrefs: 00133C87

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: cf4cb8edb3489fc7d174c84659c3e92826e95e420c2d2a9c287338855f340a64
Instruction ID: fb6c0100191da70bbbd8efc9fe5f1a27c96706d4063b5ed08987197dc77939ad
Opcode Fuzzy Hash: cf4cb8edb3489fc7d174c84659c3e92826e95e420c2d2a9c287338855f340a64
Instruction Fuzzy Hash: 0F025BB4810B00DFD760DF24D986756BFF5FF01300F90895DE8AA9B696E370A459CBA2

Function 00142260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

a|, xrefs: 00142317
sj, xrefs: 00142327
lc, xrefs: 00142507
hu, xrefs: 0014232F

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 3e01c59a47cbb574de815ed95231a57f44cda237a621616c8e77bf508aeed0d5
Instruction ID: d6f3f08834038013ac426c6971389e253ad7314211a7998c57573297b2028644
Opcode Fuzzy Hash: 3e01c59a47cbb574de815ed95231a57f44cda237a621616c8e77bf508aeed0d5
Instruction Fuzzy Hash: 23A19D744083418BC720DF18C891A6BB7F0FFA5754F588A0CF8D99B2A1E375D981CB96

Function 0014D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

KV, xrefs: 0014D97D
T>, xrefs: 0014D984
CV, xrefs: 0014D98B
#', xrefs: 0014D9EA

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: bf32f9d3789afe4e632d13d4ef8ff3050a65d042cf2ea29030dd0f14b08e9ce9
Instruction ID: c4d046938c22d1f1a91bc118f0562c84686646302858b729f7cf199ba65d5154
Opcode Fuzzy Hash: bf32f9d3789afe4e632d13d4ef8ff3050a65d042cf2ea29030dd0f14b08e9ce9
Instruction Fuzzy Hash: 218156F48017459BDB20DFA5D28516EBFB1FF16300F604A0CE896ABA55C330AA55CFE2

Function 0014AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 0014AD07, 0014AD13
(g6e, xrefs: 0014ACA1
lk, xrefs: 0014ACBC
4c2a, xrefs: 0014ACA9

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 47f6b93a6ccb07e9f8df009c6901cc9bb9fe13cd52049584f4cdb1160e18892e
Instruction ID: 7fbff437618699acaab115646ae6a81b665b0122eb65cfc0dab18c5ff63ad669
Opcode Fuzzy Hash: 47f6b93a6ccb07e9f8df009c6901cc9bb9fe13cd52049584f4cdb1160e18892e
Instruction Fuzzy Hash: A14185B4808381DBD7209F24D900BABB7F4FF86305F94995DE9C897260EB31D984CB96

Function 002F1E0B Relevance: 5.0, Strings: 3, Instructions: 1280COMMON

Download Yara Rule

Strings

7], xrefs: 002F20C4
ya.~, xrefs: 002F2915
$r, xrefs: 002F235D

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: $r$ya.~$7]
API String ID: 0-1618495102
Opcode ID: b38ec9b62365e7ab21ef766bc85cab4bb4d84f79892fd23d4f72d62d37eff94e
Instruction ID: c7ca3e64ed252d436eee9b2a7da6c01a59e16fcd4f77ff4ec707f65c79283ed9
Opcode Fuzzy Hash: b38ec9b62365e7ab21ef766bc85cab4bb4d84f79892fd23d4f72d62d37eff94e
Instruction Fuzzy Hash: 279214B39082009FD304AE2DEC8567AFBE5EF94720F1A492DEAC5C3744EA355845C697

Function 0014C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 0014C537
%*+(, xrefs: 0014C8C3, 0014C8CB
%*+(, xrefs: 0014C9E4, 0014C9ED

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: f25ffbc222a846c21738df407390a41287e8cbe018718a25f6ca85effcb5424a
Instruction ID: 6bdaafa10111915263931ad0561f7667857e24ce4b9bd6df3ab98c3c751ca148
Opcode Fuzzy Hash: f25ffbc222a846c21738df407390a41287e8cbe018718a25f6ca85effcb5424a
Instruction Fuzzy Hash: 53E198B5509340EFE3209F68D881B2BBBF6FB95344F54882CF58987261E771D854CB92

Function 00128590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 00128616
IEND, xrefs: 001289F0
), xrefs: 0012860C

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 103513412cfdf378484e475305d0aedff2d028a38517e8d3e61140eaf2ec6b21
Instruction ID: 004bcf5fd14ee567d30af532ad5bbd206a7acd753b707219ffdab05020ffb5e6
Opcode Fuzzy Hash: 103513412cfdf378484e475305d0aedff2d028a38517e8d3e61140eaf2ec6b21
Instruction Fuzzy Hash: 83E1C2B1A097129FE310CF28E88172ABBE0BF94314F14492DE59597381EB75E964CBC2

Function 002EC9C4 Relevance: 4.1, Strings: 2, Instructions: 1611COMMON

Download Yara Rule

Strings

r).`, xrefs: 002EDB98
;w/^, xrefs: 002ECC01

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: ;w/^$r).`
API String ID: 0-1742145042
Opcode ID: 5a8971a50c7e76476d735a13776d5e6a5c55f5f41c1d5613e20f9417a95ad054
Instruction ID: a39f555385c9d6037a5a85b382d31f583817b5e792ba0405ed922db68e6c7a74
Opcode Fuzzy Hash: 5a8971a50c7e76476d735a13776d5e6a5c55f5f41c1d5613e20f9417a95ad054
Instruction Fuzzy Hash: AEB2E7F360C204AFE3046E29EC8567AFBEAEBD4720F16853DE6C4C7344EA7558058696

Function 00164040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

f, xrefs: 0016420C
%*+(, xrefs: 001640A4, 001640AD

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 67c08161cb3b668bcd9c9de0f8d4c423adf7035ffbebc05ee217c23a4b2c2350
Instruction ID: 350f4303113267b55de870036acac3ca9cf1726ecffa8d7a056826ce9d906a05
Opcode Fuzzy Hash: 67c08161cb3b668bcd9c9de0f8d4c423adf7035ffbebc05ee217c23a4b2c2350
Instruction Fuzzy Hash: 8812AA716093419FC715CF18C890B2EBBE2FB9A314F588A2CF4958B391D731E965CB92

Function 002EBBF8 Relevance: 3.1, Strings: 2, Instructions: 562COMMON

Download Yara Rule

Strings

4YMW, xrefs: 002EC270
1w~\, xrefs: 002EBF17

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 1w~\$4YMW
API String ID: 0-644889950
Opcode ID: 468e44be718d59989ec9b39bcfa527ffaeb8dc8cf2e0634e988a1f8850339646
Instruction ID: 3fe3efe15fd9933334440a7bd187ebdcba4c4cde394dc126b21c698f2cc62ff0
Opcode Fuzzy Hash: 468e44be718d59989ec9b39bcfa527ffaeb8dc8cf2e0634e988a1f8850339646
Instruction Fuzzy Hash: C602F4B361C2149FE304AF2DEC8567AFBE9EF54720F164A2DEAC4C3740EA7558408796

Function 0015F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 0015F7F5
hi, xrefs: 0015F6E6

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 992933344164ee306d746da054a9de2ac9841b79d59416ca1cb3ba4667365e3b
Instruction ID: bcaa87efe26e2485cc54fce00dceabcd77a1c1e57621858a827edc1f8409dcc7
Opcode Fuzzy Hash: 992933344164ee306d746da054a9de2ac9841b79d59416ca1cb3ba4667365e3b
Instruction Fuzzy Hash: 82F1A771618301EFE704CF24D891B2ABBF6FB85349F14992CF4958B2A1C734D98ACB12

Function 001235B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 0012360E
Inf, xrefs: 00123607

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 3fb224327a8764d8d689916ea426a13c6053abfde75c31db6c18dae408d3aef6
Instruction ID: 677b825849c0d3365a918467c44696227263e9d09cf5909087f10286475f5526
Opcode Fuzzy Hash: 3fb224327a8764d8d689916ea426a13c6053abfde75c31db6c18dae408d3aef6
Instruction Fuzzy Hash: 71D1E671A083219BC708CF28D88061EBBE5EBC8750F158A3DF9A997390E775DD558B82

Function 0013FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 001400F6
BaBc, xrefs: 00140197

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 5151a1efd8796c107e576bb403e9ce71f09708420efca47ce84b64e3a57c8bbb
Instruction ID: 65f5fc5020449bba1f8571f2067a6f530191780568df9b266838168748e0fbd1
Opcode Fuzzy Hash: 5151a1efd8796c107e576bb403e9ce71f09708420efca47ce84b64e3a57c8bbb
Instruction Fuzzy Hash: 4C51CDB16083818BD332CF15C881BABB7E0FF9A350F09491DE4DA8B661E3749980CB57

Function 00125160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 001254C8

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: adf5423658558052aad2c4a94f195d73bd7a8aa926d3d398b706161430fc7366
Instruction ID: af70592ed54cf62e2fac07a8a60144053586bca3cf336ee6350c02fc41d9ed35
Opcode Fuzzy Hash: adf5423658558052aad2c4a94f195d73bd7a8aa926d3d398b706161430fc7366
Instruction Fuzzy Hash: C722D3B6A08B62CBE7158E19E8C0336BBA3AFE0314F5D856DD8598B341E7B1DC64C741

Function 001512D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 001515D1

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 8a15d2031dcc65501cacf3e526ab3653180dfadb89999751079efdf17f2faee8
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 61F14771A08341ABC726CE24C49076BBBE5AFD5355F18855DECAA8F382D734DC08C791

Function 0014AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0014B2D3, 0014B2DB

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 2a862d2e01c958f30f9ac870b76501cb6117b2633c5562a97fbf35998cbb4681
Instruction ID: 8fe452ddab0a6d14e987b90b2bb3e3b314352bd1eaa3196df329f331570d1296
Opcode Fuzzy Hash: 2a862d2e01c958f30f9ac870b76501cb6117b2633c5562a97fbf35998cbb4681
Instruction Fuzzy Hash: 7AE17675508306DBC724DF29C89096EB7F2FF98781F55892CE4C987260E335E999CB82

Function 00136EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00136EF3

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 61d8b3808f9a2cba3c7f350b7bfd625e9d91d74977e9be16406933bec56684fc
Instruction ID: de329e0d240e06eba6c39e7787700f19b513679934b7ad4e0835f3cdf9af3b44
Opcode Fuzzy Hash: 61d8b3808f9a2cba3c7f350b7bfd625e9d91d74977e9be16406933bec56684fc
Instruction Fuzzy Hash: 3FF19DB5A00B01DFC724DF24E891A26B3F6FF58314B148A2DE59787A91EB70F865CB41

Function 00147E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00148263, 0014826B

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e0ce41c39a821c279a193d8742506b318304c7e64cb2e2ffa1b785b1f9b1934f
Instruction ID: 097c5ba0e9280b28b2ae154d07a307a4aa87754879bdcebe7d8d631722167f7b
Opcode Fuzzy Hash: e0ce41c39a821c279a193d8742506b318304c7e64cb2e2ffa1b785b1f9b1934f
Instruction Fuzzy Hash: 5DC1CF71508200AFD710EF14D882A2FB7F5EF95754F084819F8C59B2A1E735ED55CBA2

Function 00148D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00149233, 0014923B

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b06c9ddf3a67607d7164ba1090b4c3b8601f400338f9705ea0874afbf04b5f10
Instruction ID: 742ef8e5e17612aaee89b39f60af7b49c199ab208853b336d5299bd9ffbf0267
Opcode Fuzzy Hash: b06c9ddf3a67607d7164ba1090b4c3b8601f400338f9705ea0874afbf04b5f10
Instruction Fuzzy Hash: 21D1BC70618302DFD718DFA4DC90A2AB7F6FF89314F59486CE88A876A1D730E990CB51

Function 00167FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00168167

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: cc7781a1a581a23d5017e18b3882dcdb33b86639d568093e767bf1a6e88f7aeb
Instruction ID: 132cd7c97b9753098ecc271b0db8ce86ff96a1a796aa7d6321c7e72e952f3fa1
Opcode Fuzzy Hash: cc7781a1a581a23d5017e18b3882dcdb33b86639d568093e767bf1a6e88f7aeb
Instruction Fuzzy Hash: 7ED1E5729082654FC725CE18D89072EB7E1EB85758F168A2CE9B5AB380CB71DC56C7C1

Function 0014CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0014CDC3, 0014CDCB

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 294e499ba0ca80c761c84f5d5b8073217bd764e8329063b5ab4a65634c342e95
Instruction ID: 0b764572acfbec2ce192083650b01bfac43c24dc8bee332b03b3c460051d0feb
Opcode Fuzzy Hash: 294e499ba0ca80c761c84f5d5b8073217bd764e8329063b5ab4a65634c342e95
Instruction Fuzzy Hash: C4B1FE70A0A3019BDB14DF58E891A3BBBF2EF95340F14492CE5C59B261E335E855CBE2

Function 0012A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0012A9C3

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 6f9cffafd275b760f473d961337f0b3e0dda2300d2f804f929cf5206a48cc06c
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 16B138702083819FC324CF19D89061BBBE1AFA9704F448A2DF5D997342D371EA58CBA7

Function 0015FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0015FCA4, 0015FCAD

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b33687d6f0f9b016d6886ac95edbf3fe547cb91239f1f7cd455a30d94bb23e8c
Instruction ID: 3acab38dd22c62b62e67749d1493dcbd79acef51e7bd3dbe36799f52cf7aceaf
Opcode Fuzzy Hash: b33687d6f0f9b016d6886ac95edbf3fe547cb91239f1f7cd455a30d94bb23e8c
Instruction Fuzzy Hash: 5C81DD71508300EBD714DF64DC85B2AB7F6FB99702F44882CF9998B251D731D89ACB62

Function 0013D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0013D663, 0013D66B

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: df32a3dc887b6b427b0aedafecbe406c69a30b1748b534823e0f39b9c93fa440
Instruction ID: bcb87261ce3043fc1c5604accfd42f71f915cec856ba31d406bd4960cc126d8b
Opcode Fuzzy Hash: df32a3dc887b6b427b0aedafecbe406c69a30b1748b534823e0f39b9c93fa440
Instruction Fuzzy Hash: DD61C1B2908314DBD711EF18FC82A2AB3B5FF98354F48092CF9898B251E771D964C792

Function 00258730 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

u(oo, xrefs: 00258822

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: u(oo
API String ID: 0-1955828555
Opcode ID: fb0ba8393ffe04847348bef101123882c30a7a9b684e827b0fae981ae3e41f93
Instruction ID: 440ec23a4c00b06275f1801ad73a5064318d779692182beb110b9b4c225398a9
Opcode Fuzzy Hash: fb0ba8393ffe04847348bef101123882c30a7a9b684e827b0fae981ae3e41f93
Instruction Fuzzy Hash: 05615CF3E087145BE300593DED8476BBBDAEBD4720F2BC639EA8893B44E8795D054291

Function 00164A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00164C33, 00164C3B

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7f65bf24e82be1d68799b2359f70f18a1ba57503d2e977ba86409d95625cf5ae
Instruction ID: 8c6609cc15d7febc62bd8f0508a29f3dcb0c6ac8ea7ff837ba373643186f80bd
Opcode Fuzzy Hash: 7f65bf24e82be1d68799b2359f70f18a1ba57503d2e977ba86409d95625cf5ae
Instruction Fuzzy Hash: C361DD716083019FD724DF69CC80B2ABBE6EBC5314F59891CE98987391D772EC60CB52

Function 002492A3 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

_-[, xrefs: 00249322

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: _-[
API String ID: 0-2559000830
Opcode ID: 9b945f4dbfacaeafe003123fd8edf05475245cd6914bc9e8bce8cd5d95c3ad64
Instruction ID: a9dba3b0a5f4e946fbcf918975730327aece2205af9e8ab5b7d3bc41fb3685c5
Opcode Fuzzy Hash: 9b945f4dbfacaeafe003123fd8edf05475245cd6914bc9e8bce8cd5d95c3ad64
Instruction Fuzzy Hash: 236119F3E082009BF3089E29DD4572AB7D6EBD4710F2A863CE9C9C7384E9795C418686

Function 003C07A9 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

G"El, xrefs: 003C0938

Memory Dump Source

Source File: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: G"El
API String ID: 0-3578051365
Opcode ID: a5ada9e2e487bc851d5e557adaa3f458c24fd7d29df242f2a31639a638aeb882
Instruction ID: bb4d31287e6f312aaab28ce0a4dfe140401bc3e76644ba6fffa89e146ee99983
Opcode Fuzzy Hash: a5ada9e2e487bc851d5e557adaa3f458c24fd7d29df242f2a31639a638aeb882
Instruction Fuzzy Hash: 755125B350C384DBD34A6E28DD86B3ABBDCEB44360F26492EE5C7C6A15E6315C409793

Function 0012E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0012E333

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 0718958bde7070b0804b15c9325f3e5daf714f3d0850582fcca1c2aaaf52c00e
Instruction ID: 9ffbee1cc616e3446921aeca941e92e6aaf0541ac1764478ccab580d6d2be6b9
Opcode Fuzzy Hash: 0718958bde7070b0804b15c9325f3e5daf714f3d0850582fcca1c2aaaf52c00e
Instruction Fuzzy Hash: 26512A23B596B087D328C93D6C553697AC71BA2334B3EC769E9F6873E1D65548108390

Function 00163920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 001639E3, 001639EB

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 223a5edb908eb5d1f6a21f89dcc40ef35430cec5c9751bb9884f5dd3deabd0c4
Instruction ID: a3747ca28f2adc9fb52487b04b7d2cf023b0ca3d013053fa8576ee2b2e1592cd
Opcode Fuzzy Hash: 223a5edb908eb5d1f6a21f89dcc40ef35430cec5c9751bb9884f5dd3deabd0c4
Instruction Fuzzy Hash: 3751BF706092009BCB28DF59DC80A2ABBF6FF85748F14881CE4DAC7251C371DE60DB62

Function 0037831D Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

c{Um, xrefs: 0037842C

Memory Dump Source

Source File: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: c{Um
API String ID: 0-2763830452
Opcode ID: 24ef29aae5f8ff29a65407dec44038b525792d8fa79807611233ae01edee06a1
Instruction ID: be32f4dd9619df8af5ac6b8b7413af751534e27e16d0782102e0e80639f2047b
Opcode Fuzzy Hash: 24ef29aae5f8ff29a65407dec44038b525792d8fa79807611233ae01edee06a1
Instruction Fuzzy Hash: B64129F3D082249BE301AE39ED856ABBBE5DF44360F06463DEAC497A44E531994886C7

Function 00131BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00131C3E

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 4e27239c66c43fba6dc65785c733e599938dfcf5eb29111f93c3c467644a6c08
Instruction ID: 8b5fe1c9b6a3c197a90df438ebbefb33c33982b35896af45adf874162f5bf275
Opcode Fuzzy Hash: 4e27239c66c43fba6dc65785c733e599938dfcf5eb29111f93c3c467644a6c08
Instruction Fuzzy Hash: D64142B4008380ABC7149F64D894A2FBBF0FF8A714F04991CF9C99B291D736CA55CB56

Function 0015FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00160033, 0016003B

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3205dfc3a2b4c84ae7de0a8a69792b1cd1051fe2cd4230a5cdb7928bedbf2f1e
Instruction ID: 4274d3bbeb8d385f623a524e3e8bc43946a0649734e736a9bd8bf569a372291c
Opcode Fuzzy Hash: 3205dfc3a2b4c84ae7de0a8a69792b1cd1051fe2cd4230a5cdb7928bedbf2f1e
Instruction Fuzzy Hash: 143106B1908311ABD711EE14DC81B2BB7E9EB99784F544828F985D7252E332DC24C7A3

Function 0014E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0014E6A2

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 84e5a83930371e806e8046a3ab81fe902bf2b12dcb583daad3ddacd01820c2a8
Instruction ID: bf50295592e5c315c4b931d727911a5f11706b493865c43b2d1b7b3cfc343696
Opcode Fuzzy Hash: 84e5a83930371e806e8046a3ab81fe902bf2b12dcb583daad3ddacd01820c2a8
Instruction Fuzzy Hash: F831E4B5904205DFDB20CF98E8805AFB7F4FB1A315F14042CE54AAB711D335A985CBE2

Function 00136F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0013703B

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: df38fa10ec66ffaa3318d4bc41e7d2332d8632cb23727e59d63b960ddf4cc06c
Instruction ID: 92b066cacb107dab6e1827a5e54e71e7bb889a05c792a653caf960b22d557570
Opcode Fuzzy Hash: df38fa10ec66ffaa3318d4bc41e7d2332d8632cb23727e59d63b960ddf4cc06c
Instruction Fuzzy Hash: 704156B5604B04DBD7388F61D994F26B7F2FB4A701F54891CE58A9BAA1E371F8508B10

Function 0014E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0014E6A2

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: dd0fe37c97da4a0132d39961c25aa40a751353560cdd0df434456a7cd3e90136
Instruction ID: 557e99350b0a1a3c0a73a491548f625bb2229d2cd107a584ff15e1ed5fd0e2d6
Opcode Fuzzy Hash: dd0fe37c97da4a0132d39961c25aa40a751353560cdd0df434456a7cd3e90136
Instruction Fuzzy Hash: 5521E0B1904204DFC720CF98E890AAFBBF5BB1A705F14081CE54AAB711D335AD81CBA2

Function 00169CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00169D30

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 91926d1b4b48866144bfe0bddeea6a9b6ea64365bf9dcd938059cd61ee3481a9
Instruction ID: de5e2ee00dfef3f3ce188ad21db54dea2fad61c75ad144a0e0732e876949b06c
Opcode Fuzzy Hash: 91926d1b4b48866144bfe0bddeea6a9b6ea64365bf9dcd938059cd61ee3481a9
Instruction Fuzzy Hash: 7431A7709083008BD314EF14D880A2BFBFAFF9A358F54892CE1C897251D375D854CBA6

Function 00134E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b1c2c7f602cd8d87dc197213062394e30bb2bd0cf7088dde955fc05ebc94d2
Instruction ID: 10f208f472d18ae090e0b09af5d1467bf6bd13c0ffcb7697544e328dc8418080
Opcode Fuzzy Hash: 22b1c2c7f602cd8d87dc197213062394e30bb2bd0cf7088dde955fc05ebc94d2
Instruction Fuzzy Hash: 626268B4500B008FD725CF24D991B27BBF6AF59B00F54892CE49B8BA52E775F848CB90

Function 0012BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 8f45432fd6d43c3d1e609fff62f28cb14d1e159eb8b0794185deb0e5a79329a5
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 4752E831A087218BC7259F18E4402BFB3E1FFD5319F258A2DDAC693294D735A865CBC6

Function 00168652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aedde768ba522995b5d5309d762d3624072be531a430fc967e5cb021d67855d
Instruction ID: 068ba9712d0f059a42ab9acfb420df60fc628ee8b5da2a7b868b016ffb15fdd7
Opcode Fuzzy Hash: 9aedde768ba522995b5d5309d762d3624072be531a430fc967e5cb021d67855d
Instruction Fuzzy Hash: 2F22DB35608340CFC704EF68E89062AB7F5FF8A315F49896DE58987761D731E9A0CB82

Function 001686F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ed422545b06b9e4aa1960a6bc0dfed7fabc5e0c395b4ed69f9022de2849af1
Instruction ID: ccaed8978c41ef19ba90e1c737e959035e6cfaf8b5e9a8190af3affc628ef2d4
Opcode Fuzzy Hash: 06ed422545b06b9e4aa1960a6bc0dfed7fabc5e0c395b4ed69f9022de2849af1
Instruction Fuzzy Hash: 8922AB35608340DFC704EF68E89062ABBF5FF8A305F59896DE58987751D735E8A0CB82

Function 0012B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229ff75155cbd077491e7904ffa9a0a70394cd6b6332900df85266301d59287c
Instruction ID: 30d0142805e13e0975668ee34d83d5a0a105ecf16417e9f56afbe9348dce5f12
Opcode Fuzzy Hash: 229ff75155cbd077491e7904ffa9a0a70394cd6b6332900df85266301d59287c
Instruction Fuzzy Hash: 0252C37090CBA88FE735CB24D4C43A7BBE2AF91314F144D2DC6E60AB82D779A895C751

Function 001271F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9cd3e09de96bd78216eb705e909739b1a272c2b359e290e7c6a3778fce684e
Instruction ID: 8bd2b10ab86b98e19e9e44b510e661ed7d020f08aa462689fd98f0b07bfedd57
Opcode Fuzzy Hash: 8f9cd3e09de96bd78216eb705e909739b1a272c2b359e290e7c6a3778fce684e
Instruction Fuzzy Hash: 2852D13150C3658FCB19CF28D0906BBBBE1BF88314F198A6DE8995B391D734D999CB81

Function 00128FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad35f059f5b57215e8a556193a1f8c7dd3b33d706dacc7236741680173452fd
Instruction ID: 8f0f80f36893770ae4b593b3179fd15c31c6d41003ade7791721246ced378d89
Opcode Fuzzy Hash: bad35f059f5b57215e8a556193a1f8c7dd3b33d706dacc7236741680173452fd
Instruction Fuzzy Hash: 3E429679608301DFD708CF28E85076ABBE1BF88315F09896CE4898B7A1D775D995CF82

Function 00127BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3519eb539dbd3819393483224bce77eeddf7d364a6e2755e33ec9576eef0ae46
Instruction ID: 041940a18a767d8c746d51ffdb5c98c744cb6a14adabf04e5a46012414b146a1
Opcode Fuzzy Hash: 3519eb539dbd3819393483224bce77eeddf7d364a6e2755e33ec9576eef0ae46
Instruction Fuzzy Hash: AA322170519B218FC368CF29D69052ABBF2BF45710BA04A2ED6A787F90D736F855CB10

Function 001689A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b216d8f80c6018884e31ce813bacbb13198c51c0e49bab96818f94ba7286de
Instruction ID: 804e230f5ddf68e089cba5f9eb27d0e14087cc61a6f79f9568bbb81b441143ca
Opcode Fuzzy Hash: 49b216d8f80c6018884e31ce813bacbb13198c51c0e49bab96818f94ba7286de
Instruction Fuzzy Hash: C702AB35608240DFC704DF68E89062ABBF5FF8A305F09896DE5C987762C735D9A0CB92

Function 00168A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e381bfc5402b98e5c425adefe2908d49ec77ce6212f2066c0822130868584d16
Instruction ID: 75b64e1e244825089f7ac62eeff7d6293428472684d5036204eb56734aaa2cc6
Opcode Fuzzy Hash: e381bfc5402b98e5c425adefe2908d49ec77ce6212f2066c0822130868584d16
Instruction Fuzzy Hash: 80F1793560C340DFC704DF68E89062AFBF5AF8A305F19896DE5C987252D736D9A0CB92

Function 00168C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2d513efaff0ff053be2af926e5d1ee1a2e70acd3ac90ef492fe5fed38bf8ff
Instruction ID: 8e90aa75e316b8237294dddde4467a78bcd46a8181eaca123435bac721ff0700
Opcode Fuzzy Hash: 8c2d513efaff0ff053be2af926e5d1ee1a2e70acd3ac90ef492fe5fed38bf8ff
Instruction Fuzzy Hash: B7E1AD31608250CFC704DF68E89062AF7F5FB8A315F19896CE5D987352D736E9A0CB92

Function 0012A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: d0832f88279b901256a040ec14ae63f5aef0e5a0600180f0f5b9539251129e79
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 8AF1AA766083418FC724CF29D88166BFBE2AFD8300F48882DE5C587751E739E959CB96

Function 00168E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eff304b576285578f8f28fa0039a73e6410f8965bef38c826cbdb18dc1ffa35
Instruction ID: d011072550d9627f3e5714078ba3ae83b00980d9899a39b06600c50cbcfd6717
Opcode Fuzzy Hash: 0eff304b576285578f8f28fa0039a73e6410f8965bef38c826cbdb18dc1ffa35
Instruction Fuzzy Hash: FFD19D3460C250DFD705DF28E89062AFBF5EF8A305F09896DE5C987252D736D8A0CB92

Function 00134487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0af4ae35868f972db386fd6c9c7599c582e1dfa7d4c3f70ab91dcc9941e25e
Instruction ID: 42fac22d6a9983d76afa3079323859111f6f26c9ba5a9dadd707bdc18ae7aa3d
Opcode Fuzzy Hash: dc0af4ae35868f972db386fd6c9c7599c582e1dfa7d4c3f70ab91dcc9941e25e
Instruction Fuzzy Hash: 08E100B5501B008FD325CF28E992B97B7E1FF0A708F04886CE4AAC7B52E775B8548B54

Function 00166CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce25142dfece42f3e247e43286a77b124bdfe7734c0f6caf5122e89858d554
Instruction ID: 1db965dd9f9bb0cc97774a7057032eabe80ba64cf55b604272f84b106c08515a
Opcode Fuzzy Hash: 5bce25142dfece42f3e247e43286a77b124bdfe7734c0f6caf5122e89858d554
Instruction Fuzzy Hash: DFD1F13661C351CFC715CF38D89052AB7F2AB89314F098A6DE8A9C77A1D335DA84CB91

Function 00167AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7987a4a622bca8fe516cd5a2dbd70874d2e247434a138ab267db6e0259189b23
Instruction ID: a31f2a9a212b4e71dbe8f2a471b00ff611167be83be9bae0d17c386db731f118
Opcode Fuzzy Hash: 7987a4a622bca8fe516cd5a2dbd70874d2e247434a138ab267db6e0259189b23
Instruction Fuzzy Hash: ECB10272A083504BE324DA68CC41B7BB7E5AFC4318F08496DF999973C2EB35DC148792

Function 0012AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: a1b1ae71c65584baff8b165a98cb4c3a64d12eabb5ebe9ab7192a78ace7b6558
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: AEC17EB2A087518FC360CF68DC967ABB7E1BF85318F08492DD1D9C6242E778A165CB46

Function 00136536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28816b5e4430b100ea15bac16e55be1bc51cfa926d80e77ddedc0c582b5a7ff
Instruction ID: 304ef847833ae00bb77f06b61234f57a8a971fbf25ff4f895a86a5e52477095c
Opcode Fuzzy Hash: c28816b5e4430b100ea15bac16e55be1bc51cfa926d80e77ddedc0c582b5a7ff
Instruction Fuzzy Hash: 65B100B4600B409BD321CF24D991B67BBF1EF5A704F14885CE8AA8BB52E375F805CB95

Function 00167710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 418272d14e95edf1d10dfc8fb696fcfd04dcb2a341216f21bbe918ad5b97afc4
Instruction ID: 0b55af84c4a057d4ed60d3fe60959d5095339f4c6f1a469179931efdfe763b3e
Opcode Fuzzy Hash: 418272d14e95edf1d10dfc8fb696fcfd04dcb2a341216f21bbe918ad5b97afc4
Instruction Fuzzy Hash: DC91AF71A1C301ABE724DB54CC40BAFB7E6EB85358F54881CF99987391E730E960CB92

Function 0016A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1daabe7d0d6808f67bddfe9f4c02d29141be8af4a7913c38d777d86f10a37b7f
Instruction ID: 3d05aa89555349ae198332e17f10bccd0ce4c97451dd6c1b06538f341e2b4793
Opcode Fuzzy Hash: 1daabe7d0d6808f67bddfe9f4c02d29141be8af4a7913c38d777d86f10a37b7f
Instruction Fuzzy Hash: 43817C342097018BD724DF28DC90A2AB7F5FF99740F95892CE5869B351E731EC61CB92

Function 001564F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d336e7d90bc82ea2a89ff75e1e45870b461f07f535db00ef4e8c05a9a31ffe37
Instruction ID: facb778326a2f7cb3f8d02cee8737bfc0f1600425f1a8ef1b05d12b7c933a34f
Opcode Fuzzy Hash: d336e7d90bc82ea2a89ff75e1e45870b461f07f535db00ef4e8c05a9a31ffe37
Instruction Fuzzy Hash: AC71D633B69A908BC324897C5C423A5BA534BD6334B7EC379E9B48F3E5D669480A43C0

Function 001428E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065e8633606f2348d47dc6d3a862a3c7c625c4ab67600b4ddb616b3894214b76
Instruction ID: bf3f4478200e845a5c6e8df35901f30fc25afa8859973899b7c3f1c5fde71484
Opcode Fuzzy Hash: 065e8633606f2348d47dc6d3a862a3c7c625c4ab67600b4ddb616b3894214b76
Instruction Fuzzy Hash: D46186B44083508BD311AF18E851A2ABBF0FFA6751F48491CF8C58B261E379D990CBA7

Function 00147C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a142892e8fb25307b1bb3c21384e5deb63324bf1838ff765e41ebc9a4f9d4732
Instruction ID: 3d583836a1188ca8e15982587c569132d8eb6ed5f23731727396c7295cb119d3
Opcode Fuzzy Hash: a142892e8fb25307b1bb3c21384e5deb63324bf1838ff765e41ebc9a4f9d4732
Instruction Fuzzy Hash: FA51C0B1A18205ABDB209B64CC92BB733B4EF85368F154958F985CB2E1F375DC01C762

Function 0027B245 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1e0af13dff9ad12129b8cee698c8364a125cd475e5154b77ea683313516e48
Instruction ID: aa63d10d9415029b78cfdb424013c71a68e306503d0e33b566efdc5af0c920aa
Opcode Fuzzy Hash: 6d1e0af13dff9ad12129b8cee698c8364a125cd475e5154b77ea683313516e48
Instruction Fuzzy Hash: C67104F39182109FF3006E38DC8577AB7E5EB94320F1A8A3EDAC4D7784E67958448796

Function 0023704F Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c003d1b70359b403d29083df76342dfa5373b4a8c26cb125accce246d88bdf3
Instruction ID: 5b478be90233daafafe3b13e712b6c77db7b3c9e1de0b51cde07697fd3b572b2
Opcode Fuzzy Hash: 8c003d1b70359b403d29083df76342dfa5373b4a8c26cb125accce246d88bdf3
Instruction Fuzzy Hash: 286157F3A186044FE300AE6DDC8476ABBD6EB94321F1B493DDAD4C3784E97D98058392

Function 00151860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 772fbfa397093f7e4db3daa615dc787e610dae19a22709d43ce5167fc38efaa4
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 7361BF31609341FBD72ACE28C58072EBBE2ABC5352F65C92DF8A98F251D370DD899741

Function 001582D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc2581ccb9b6e371dc125c56f53408d61fd05b76f9bcf6a2fbdb7e63822139f
Instruction ID: 533c9a1d2ad2b4fdfd3a3b84c16f6c06d5275878cc29bb1911b5ea004b0af5aa
Opcode Fuzzy Hash: acc2581ccb9b6e371dc125c56f53408d61fd05b76f9bcf6a2fbdb7e63822139f
Instruction Fuzzy Hash: 5A612823B5A990CBD318453D5C553A66A831BD2331F3EC365DCF2AF3E4DE6988494381

Function 001342FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f058abf94cb923e969e8ecf581d6b2a2c3055c1526c177a7011663ec332371a
Instruction ID: 3efb7e6dfbe3406ddd5a5ddef9b36d140a2923743b9c12d70a34031b6d07deb0
Opcode Fuzzy Hash: 7f058abf94cb923e969e8ecf581d6b2a2c3055c1526c177a7011663ec332371a
Instruction Fuzzy Hash: 2581C0B4810B00AFD360EF39D947797BEF4AB06201F504A1DE4EA97695E7306459CBE3

Function 002920A6 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9fbe51626ec5b78a331f64633a2f9fc3afb9138f06378f33674988fd5916923
Instruction ID: 60587f68f5fa3114aa148bd7727f20b4ae1842a1a4ab44513f4843668c39f2b8
Opcode Fuzzy Hash: f9fbe51626ec5b78a331f64633a2f9fc3afb9138f06378f33674988fd5916923
Instruction Fuzzy Hash: D351E6F36092049BE3006E2DDC957BEFBD6EB94720F0B493DE6C483744DA76A8458786

Function 0015E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: b1a738fe02ebebb65f37787c68d6a6c6e99054238d261db6e1eaa7d7fad0adba
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 0B515DB19087549FE314DF69D89435BBBE1BBC5318F044E2DE4E987350E779D6088B82

Function 001A64ED Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cf3d0be79d7815e60543ae2b7bd1cabd824c988a59cbaf4abf499f006566f5
Instruction ID: 4a89c33e6118e0403a6212ee4854dfa502ba90b9380d41735ad579a957310a65
Opcode Fuzzy Hash: c7cf3d0be79d7815e60543ae2b7bd1cabd824c988a59cbaf4abf499f006566f5
Instruction Fuzzy Hash: 9151F2F3A083188BE3147A7CED897667BD4EB14710F19463DDAC4873C4F97569048786

Function 00167520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4bb0319db08cd36cc5ac3a2b9924b26aab855a4b3fa47068b3c64a13cefaab
Instruction ID: ec78d7b1497e7ae642c913a9096082f4586031b30e4bb05a83746ca7d66c6639
Opcode Fuzzy Hash: de4bb0319db08cd36cc5ac3a2b9924b26aab855a4b3fa47068b3c64a13cefaab
Instruction Fuzzy Hash: 6651157160C200ABD7199E18CC90B2EB7E6EB85358F688A2CE8D9973D1D731EC60C791

Function 0020952F Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb2658404caf245f82370162d386144c587990fe00edbd988d48edc2603706c
Instruction ID: 57fb8c9525b45ddcc6c5f2c5f6fc437188f635cbb1684868c2b38bf41166db43
Opcode Fuzzy Hash: dbb2658404caf245f82370162d386144c587990fe00edbd988d48edc2603706c
Instruction Fuzzy Hash: 935149F3A083045BE7046E2DEC8536AB7DBEBE4320F2A853CD7C847785E93958064687

Function 00125A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44db49ca215d4e89144c8e0f2a0fa026a6aef44a4a6d2de92f7601ac9769369
Instruction ID: faea2a0611a0e7ce6e2e33d775464a832ac0246c63bc8b5087439a6606dab271
Opcode Fuzzy Hash: d44db49ca215d4e89144c8e0f2a0fa026a6aef44a4a6d2de92f7601ac9769369
Instruction Fuzzy Hash: 8051E271A047249FC714DF18E8C192AB7A6FF99324F15466CE8958B352E730EC62CBD2

Function 0021CA13 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f739d2575e39c3299781a86310c5d24cad809cf4d03afbdf0515630a041115
Instruction ID: 8d0d0d396700846007f40e43edbe95d394dd0a0e33bc92e447137c786a5c9a80
Opcode Fuzzy Hash: 03f739d2575e39c3299781a86310c5d24cad809cf4d03afbdf0515630a041115
Instruction Fuzzy Hash: BC414AF39082045BF3506E29EC8A3BBB7D5EF94324F1A413DDBC893780E93999048686

Function 0014EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ddd986d37590337f14002635b8bd4076e2a0e55fea9fb5317c6fb7c3d9e28d
Instruction ID: 27919a702c53e3e7a5a8bbdd578ebd895e7592580fe857a8604379316aef43a0
Opcode Fuzzy Hash: 69ddd986d37590337f14002635b8bd4076e2a0e55fea9fb5317c6fb7c3d9e28d
Instruction Fuzzy Hash: F1418D78D00325DBDF208F98DC91BADB7B1FF1A344F144548E945AB3A1EB38A951CB91

Function 001C1912 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc1eeda9ac4d96dc13ba98ef7b2ec19e096fe6875e5f8108516d1652c4d22b6
Instruction ID: bc18611b9c167d1d6a01a041e212376d4edd412bab76bee6c27eda0fe8ef2565
Opcode Fuzzy Hash: 9fc1eeda9ac4d96dc13ba98ef7b2ec19e096fe6875e5f8108516d1652c4d22b6
Instruction Fuzzy Hash: 4B411BF3A082005FE3049E6EDCC576BF7DAEBA4220F1B453DDA98C3704E97998158693

Function 00169B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79c3a30d04d0c248cd55b90ac896ce8b43baf9ffdca258f5f4678b5cfd47add
Instruction ID: 5b5b12be058f67d62077d74201c1789aefc4bc256784fa9b3fb7768f6cfd109e
Opcode Fuzzy Hash: c79c3a30d04d0c248cd55b90ac896ce8b43baf9ffdca258f5f4678b5cfd47add
Instruction Fuzzy Hash: A441BD74608340ABDB14DB14DD90B2FB7FAEB85750F54882CF5899B251D375E860CBA2

Function 00255775 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb153db5d9a2cb66133c9b76fce00f3d55346d901c60252b92e3b6d5a731c705
Instruction ID: 58c8a1822771268e39f94da0fb06b554fb2f262999ba8fd1d7c68b31621895c3
Opcode Fuzzy Hash: cb153db5d9a2cb66133c9b76fce00f3d55346d901c60252b92e3b6d5a731c705
Instruction Fuzzy Hash: D44103B3E146158BE3146E28DC8537AB7D2EB94310F2B463CDE89973C0E97E2D458786

Function 00132030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafc80392b5145ae39fd46f79c16c590f975e98c69e54eaaf6828fbad30b321e
Instruction ID: dc2d0a5ac550d5bd00b000e34a43e56d2119feeaaf09f60412e361e01c78f008
Opcode Fuzzy Hash: fafc80392b5145ae39fd46f79c16c590f975e98c69e54eaaf6828fbad30b321e
Instruction Fuzzy Hash: 0741E772A083654FD35CDE2984A063ABBE2AFC5300F19866EF4D6873D0DBB48945D781

Function 00131E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c3ddd262a472a309ae8823f332413d1fb243f36c87229e4d8093bd2d89981b
Instruction ID: 432d132500a6c368c038f8f1cf1701e309b21b78157bb88a0780fd3aed4a741a
Opcode Fuzzy Hash: a7c3ddd262a472a309ae8823f332413d1fb243f36c87229e4d8093bd2d89981b
Instruction Fuzzy Hash: F241F074508380ABD321AB58C884B2EFBF5FB96745F14491CF6C497292C376E8148F66

Function 00168D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1270a576357b3594ec3610092978bac2abf15ac8f6ad8b45769697ebcc7e2540
Instruction ID: 3e02889b6f6620552b1832f2a3d30e1909d937f32f435aa573d54e73c03c3793
Opcode Fuzzy Hash: 1270a576357b3594ec3610092978bac2abf15ac8f6ad8b45769697ebcc7e2540
Instruction Fuzzy Hash: 5E41B03260D2508FC704EF68C89052EFBE6AF99300F198B2DD4D9E72A1DB75DD118B92

Function 0013D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0366a40476be5ad7eb763487d5993c33c5d788ea62db044882d052b84d2c8f7d
Instruction ID: 685810879734a171e9cc11a9d1b4c87cc68c6ee6c0a6340b6b7419aadb2713ce
Opcode Fuzzy Hash: 0366a40476be5ad7eb763487d5993c33c5d788ea62db044882d052b84d2c8f7d
Instruction Fuzzy Hash: 9241BFB5508381CBD7309F14E845BAFB7B0FFAA364F040958E58A8BB91E7744990CB93

Function 0015F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 9cb3208f89b23da0e549a5717075aac14cf52a8467e4b6358a2d46f179ec40d6
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 3D210A329082148BC3249B59C48153BF7E5EB99705F0A863EEDC49B295E335DC1987D1

Function 002D1C94 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8dfb047a6aa93a5125b1968edf6b47ee15a17d29aef3b3f335eb0fc0177fad
Instruction ID: abea99924594dd3e989387495eabe146d07f0fb58740fc551445ff6ab90aaea8
Opcode Fuzzy Hash: dc8dfb047a6aa93a5125b1968edf6b47ee15a17d29aef3b3f335eb0fc0177fad
Instruction Fuzzy Hash: EE3109F3A082105FE7049D3D9CD5766B6D8EB54310F26813DEB86D7780F8354C0046D6

Function 001667EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bbeebb6c1bb7ccf55328425d40009b0d10d2ad0cb0b1f4f923ff2e245594e4
Instruction ID: 29eb5355b4f2c9c0cf5d4bb5e3927649750628c3339e9ec248213a21c291cfc3
Opcode Fuzzy Hash: 66bbeebb6c1bb7ccf55328425d40009b0d10d2ad0cb0b1f4f923ff2e245594e4
Instruction Fuzzy Hash: 633114705183829AD714CF14C89062FBBF0EF96788F54590DF4C8AB261D338D995CB9A

Function 00145E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5bb35d36602b63400fb90a322f1272f2f453014455f542bfe9c964e810d5
Instruction ID: 5d5146784b1889fdab82b58ab5a8c65be6de803f7186ccdbcfd9341147ee53ad
Opcode Fuzzy Hash: 025f5bb35d36602b63400fb90a322f1272f2f453014455f542bfe9c964e810d5
Instruction Fuzzy Hash: A521AEB05082119BC310AF28C85192BF7F9EF96764F44890CF4D99B2A2E334CA04DBA3

Function 001249A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 1ebb191114c6f8bc1038124d57bde7549e38f3dd3fe20ec5e8015e4660dc37d7
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 3031DC316482209FD714DE58F881A2BB7E1EFC8359F19892DE89BD7241D335DC62CB86

Function 0038170B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ed275601b9f518c99f21fbe73e2e6eea1aa9e5156d6e881df68d941fcaf715
Instruction ID: 1bc3e156b904dab9f0b34f2de2ffadeb6d1b727f16be704a5ea429de714729cb
Opcode Fuzzy Hash: 88ed275601b9f518c99f21fbe73e2e6eea1aa9e5156d6e881df68d941fcaf715
Instruction Fuzzy Hash: F73167B241C210EFD709AF28E8416BEFBE4EF58720F06092DE6C993610D37698408B97

Function 001664B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2120c84da682533ce03f36edecd3e7ff574f4f2d7398842075dcae05aab7caf
Instruction ID: 60e5060e71b9866e5da3843470279823b8424b5bc9f2536754bbdb48ae64dbc3
Opcode Fuzzy Hash: b2120c84da682533ce03f36edecd3e7ff574f4f2d7398842075dcae05aab7caf
Instruction Fuzzy Hash: 13213C7450C241DBC708EF19D990A2EFBF6FB95745F58881CE4C993361C735A8A1CB62

Function 00165700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794275adfd3f021f13a27fb4796902271672e61b954b263ad9fe767ec6d58c4a
Instruction ID: a77e67cf6fa3c1b767c3acc030664f416036b09e70484da8b14f06984dd401a2
Opcode Fuzzy Hash: 794275adfd3f021f13a27fb4796902271672e61b954b263ad9fe767ec6d58c4a
Instruction Fuzzy Hash: 1911A07191C280EBC301AF28EC51A1BBBF6AF96710F45882CF8C89B211D335D961DB93

Function 0015B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4207d4ed575755400b706f33b1141f70e1ecd47c15ff9418a7c71e5d7f152508
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3A11A933A091D48EC3168D3C84905B5BFA31AA3636B594399F8B49F2D2D7228D8E8355

Function 00150B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 3640cd603d2d96e340b5afbc71600d85216136e8f75f10d5e3faa7824bdd3288
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 880175F9A003028BE721DE94A4D1B3BB2A86F59719F18452CED265B201EB75EC19C6D1

Function 0014D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4544aa5a956847a6f0d2954cd296b4c875c08c89e336aaac74cdb22d0e2e64db
Instruction ID: 7d37e3ddd6620ab468f231973aa2d1836b3bf2187d4aeefb4a64b470a7a8dbec
Opcode Fuzzy Hash: 4544aa5a956847a6f0d2954cd296b4c875c08c89e336aaac74cdb22d0e2e64db
Instruction Fuzzy Hash: 4311EFB0408380EFD3109F618494A2FFBE5EBA6714F148C0DF5A45B251C375D859CF56

Function 00126EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5542628f291ce0b62a09d1141570b8841bf2b9caded03374a8075ba3ef5774d3
Instruction ID: ad7fd80303a3ed33efd77b9c81f86ad3fe6e55d2a5171399cd8122e70448507d
Opcode Fuzzy Hash: 5542628f291ce0b62a09d1141570b8841bf2b9caded03374a8075ba3ef5774d3
Instruction Fuzzy Hash: EBF0243B71822A0BA710CDAABCC083BB396D7C9354B051538EA40C3245CEB2E8128290

Function 0015B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0013C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0013B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 1f3948d559844e034c03cab9aed27b79083298f9ff1912db5c9680f2a4ac3c9f
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: CCF0ECB1A0851057DF228A549CC0F37BB9CCB97354F190427F98657503E3615845C3E9

Function 00158220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55347e35c5fc607edcaca61e83ee2d3e1647e26928405be8152a123bfcbfc9a
Instruction ID: 5cd3bb529cef1c5e7728f571c03793897abf5f6c9384c762499131aea4923ca5
Opcode Fuzzy Hash: e55347e35c5fc607edcaca61e83ee2d3e1647e26928405be8152a123bfcbfc9a
Instruction Fuzzy Hash: 7001E4B04107009FC360EF29C945757BBE8EB08714F408A1DE8EECB680D770A5548B82

Function 00161440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: b31e4922881a0276ea7cf604fdf560245d8aebeb949c32ef497bba96fadbe1ad
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: A6D0A731608331969F748E19A810977F7F0EAC7B51F4D955EF586E3148D730DC41C2A9

Function 00131ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c477520ae10408835a2d00e6d92db5676dc298a118ef4e682042724c1623dcd0
Instruction ID: b3f99b0837e9c3f047a5da782a7e9c3428cbd7caa0ad3f45c643d968ffdfe9dc
Opcode Fuzzy Hash: c477520ae10408835a2d00e6d92db5676dc298a118ef4e682042724c1623dcd0
Instruction Fuzzy Hash: 4CC01234A190008BC2088F01BC99432B2B8A30A209B00602EDA03E3E61CBA0C4869909

Function 00166094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7083a3e4a76b96cbbe7a66654772df11e751b04cbeb5e8fb1600ba3eed8b19d9
Instruction ID: ad008848ca8bdc321e39a89f422c3a5ea8fd16e2218d0ac275c0dea9dc072788
Opcode Fuzzy Hash: 7083a3e4a76b96cbbe7a66654772df11e751b04cbeb5e8fb1600ba3eed8b19d9
Instruction Fuzzy Hash: C5C09B3465C00087D20CCF04DD51475F3779B97714B24B15DC86A23655C134D592A51C

Function 00131A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1d8aafb83c5d3647dc3970dc8a7be9289d8f92d1c26d71f1aa499755462869
Instruction ID: 0e57de6a5fe9e64089824882520969ed42b96cbb001347ba34063124b2af5255
Opcode Fuzzy Hash: fb1d8aafb83c5d3647dc3970dc8a7be9289d8f92d1c26d71f1aa499755462869
Instruction Fuzzy Hash: 91C04C25A590408AC2488E86BC91431A2A89306209B10303ED602E7A61CAA0D4468509

Function 00165FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2200785636.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2200772565.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000180000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.00000000003EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000418000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200846909.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202569670.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202693495.00000000005D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2202710033.00000000005D2000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d887648643a80301dd25ed0c80afef824a52ad7324f972641d700b5a9a490114
Instruction ID: 2869dd10cb8be6f3084cf9da764807dc8a3e895cf9bf5aa572e98c48bc0db7f3
Opcode Fuzzy Hash: d887648643a80301dd25ed0c80afef824a52ad7324f972641d700b5a9a490114
Instruction Fuzzy Hash: A1C09224B680008BE24CCF18DD51935F2BA9B8BA18B14B02DC85AA3A56D134D592960C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 001650FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 0012FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0012D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00165BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0016695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0013049B Relevance: .3, Instructions: 264
COMMON

Function 00130228 Relevance: .2, Instructions: 218
COMMON

Function 00163220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00163202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON