Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528824
MD5:	e1f54d2c6f204549c2b9b802fe2102e1
SHA1:	cdb2dd37db40e9a646923b21d6a6130bcf6a9019
SHA256:	f930a52a2107da490787657629a889c86714dd2fa9dbd7a18ac31866811ec6e9
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1240 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E1F54D2C6F204549C2B9B802FE2102E1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["spirittunek.storec", "studennotediw.storec", "mobbipenju.store", "dissapoiznw.storec", "eaglepawnoy.storec", "licendfilteo.sitec", "bathdoomgaz.storec", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.939133+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.5	49600	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.859753+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.5	56330	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.918855+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.5	58088	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.906777+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.5	63181	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.965400+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.5	57861	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.895109+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.5	55397	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.955092+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.5	51517	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:28:18.929330+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.5	56822	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.1240.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["spirittunek.storec", "studennotediw.storec", "mobbipenju.store", "dissapoiznw.storec", "eaglepawnoy.storec", "licendfilteo.sitec", "bathdoomgaz.storec", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: bathdoomgaz.store	Virustotal: Detection: 13%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 17%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 13%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 13%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 46%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0025D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0025D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_002963B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00295700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0029695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_002999D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0025FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00260EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00266F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0028F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00251000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00294040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00296094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0027D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00272260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00272260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_002642FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0025A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0027E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0026B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0027C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00291440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0026D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_002964B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00297520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00266536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00279510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00258590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0027E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0028B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00297710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0027D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_002967EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_002728E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00293920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0026D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_002549A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00261A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00294A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00255A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00261ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00299B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0026DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0026DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00280B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00263BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00261BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0028FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00277C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0027EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0027AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0027AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00299CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00299CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0027CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0027CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0027CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0027DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0027FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00298D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00264E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00277E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00275E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0027AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00256EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0025BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00266EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00261E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00279F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0028FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00266F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00297FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00297FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00258FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0026FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00295FD6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:56822 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:58088 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:63181 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:57861 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:55397 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:49600 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:51517 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:56330 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: spirittunek.storec
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: clearancek.site

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=1f0667392115721ceb58f8ad; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 08:28:20 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlo equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2083733508.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.0000000001002000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.0000000001000000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083733508.0000000001003000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.2083733508.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2083733508.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00260228	0_2_00260228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052E058	0_2_0052E058
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00262030	0_2_00262030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251000	0_2_00251000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018	0_2_00429018
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00294040	0_2_00294040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424098	0_2_00424098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029A0D0	0_2_0029A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00255160	0_2_00255160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025E1A0	0_2_0025E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F1F9	0_2_0041F1F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002571F0	0_2_002571F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002512F7	0_2_002512F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002882D0	0_2_002882D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002812D0	0_2_002812D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025A300	0_2_0025A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025B3A0	0_2_0025B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002513A3	0_2_002513A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002823E0	0_2_002823E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003653FC	0_2_003653FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027C470	0_2_0027C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00264487	0_2_00264487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026049B	0_2_0026049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002864F0	0_2_002864F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F5503	0_2_003F5503
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041350D	0_2_0041350D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C531	0_2_0042C531
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002535B0	0_2_002535B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00258590	0_2_00258590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004225FD	0_2_004225FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026C5F0	0_2_0026C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028F620	0_2_0028F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025164F	0_2_0025164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298652	0_2_00298652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002986F0	0_2_002986F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D71C	0_2_0041D71C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DF7DC	0_2_003DF7DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AE84B	0_2_004AE84B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00281860	0_2_00281860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025A850	0_2_0025A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028E8A0	0_2_0028E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028B8C0	0_2_0028B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002989A0	0_2_002989A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027098B	0_2_0027098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042AA74	0_2_0042AA74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00294A40	0_2_00294A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CBA5E	0_2_002CBA5E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416ACC	0_2_00416ACC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00297AB0	0_2_00297AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298A80	0_2_00298A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BB74	0_2_0041BB74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026DB6F	0_2_0026DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00257BF0	0_2_00257BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00427BBD	0_2_00427BBD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298C02	0_2_00298C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420C74	0_2_00420C74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00296CBF	0_2_00296CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027CCD0	0_2_0027CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027DD29	0_2_0027DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027FD10	0_2_0027FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00278D62	0_2_00278D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036BDB1	0_2_0036BDB1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00264E2A	0_2_00264E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298E70	0_2_00298E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027AE57	0_2_0027AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025BEB0	0_2_0025BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00266EBF	0_2_00266EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025AF10	0_2_0025AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00297FC0	0_2_00297FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00258FD0	0_2_00258FD0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0025CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0026D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995229991749175
Source: file.exe	Static PE information: Section: vjquvwqo ZLIB complexity 0.9939035981150496

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00288220 CoCreateInstance,

0_2_00288220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 46%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1874432 > 1048576

Source: file.exe

Static PE information: Raw size of vjquvwqo is bigger than: 0x100000 < 0x1a0200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.250000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vjquvwqo:EW;sjkzxxvz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vjquvwqo:EW;sjkzxxvz:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1ce611 should be: 0x1ce876

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: vjquvwqo
Source: file.exe	Static PE information: section name: sjkzxxvz
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0050686D push 59670451h; mov dword ptr [esp], edx	0_2_00507689
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052E058 push ebx; mov dword ptr [esp], 7F7F716Eh	0_2_0052E0B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004ED056 push 5C92BE61h; mov dword ptr [esp], esp	0_2_004ED0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0039E013 push 056DC79Eh; mov dword ptr [esp], eax	0_2_0039E10D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052E019 push ebx; mov dword ptr [esp], 7F7F716Eh	0_2_0052E0B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F9019 push ecx; mov dword ptr [esp], edi	0_2_004F904C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D801A push 5B72A291h; mov dword ptr [esp], ebp	0_2_004D8046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D801A push ebp; mov dword ptr [esp], ebx	0_2_004D805D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push ecx; mov dword ptr [esp], esp	0_2_0042905B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 18330D7Eh; mov dword ptr [esp], esi	0_2_00429063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push edi; mov dword ptr [esp], edx	0_2_00429074
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push edx; mov dword ptr [esp], 1F05E9D6h	0_2_00429168
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 6AABC2AAh; mov dword ptr [esp], edi	0_2_004291B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 4DA6767Bh; mov dword ptr [esp], edi	0_2_004291F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push ebx; mov dword ptr [esp], edi	0_2_004291FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push edx; mov dword ptr [esp], 0FF21524h	0_2_00429248
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 622DB8E2h; mov dword ptr [esp], edx	0_2_00429270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 32E9EB6Eh; mov dword ptr [esp], ebx	0_2_00429341
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 3A8AE1EAh; mov dword ptr [esp], esp	0_2_00429349
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push esi; mov dword ptr [esp], edi	0_2_00429378
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push edi; mov dword ptr [esp], eax	0_2_004293D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push edi; mov dword ptr [esp], 0000001Ch	0_2_00429455
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push esi; mov dword ptr [esp], ecx	0_2_004294B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 2F7B55B1h; mov dword ptr [esp], ecx	0_2_00429510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push edi; mov dword ptr [esp], eax	0_2_00429584
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 6EAF3A26h; mov dword ptr [esp], ecx	0_2_0042959A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push eax; mov dword ptr [esp], ebx	0_2_00429617
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push ecx; mov dword ptr [esp], ebx	0_2_004296A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 63CA9F8Fh; mov dword ptr [esp], edi	0_2_004296C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push 7CDBFAD3h; mov dword ptr [esp], ecx	0_2_004296EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429018 push esi; mov dword ptr [esp], eax	0_2_004296F8

Source: file.exe	Static PE information: section name: entropy: 7.978826416299808
Source: file.exe	Static PE information: section name: vjquvwqo entropy: 7.952772812576185

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B3C4B second address: 2B3C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B3C4F second address: 2B3C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 412FFF second address: 413041 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD0D1E3BE2h 0x00000008 push ebx 0x00000009 jne 00007FBD0D1E3BD6h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007FBD0D1E3BDFh 0x0000001a push ecx 0x0000001b jg 00007FBD0D1E3BD6h 0x00000021 js 00007FBD0D1E3BD6h 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 413041 second address: 413045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 413045 second address: 413049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4310FD second address: 431114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D0D9CF3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4312A5 second address: 4312BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D1E3BE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4312BB second address: 4312BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4316DE second address: 4316E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434563 second address: 4345EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d ja 00007FBD0D0D9CE6h 0x00000013 pop edi 0x00000014 jmp 00007FBD0D0D9CF9h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d mov cl, ah 0x0000001f adc si, AE20h 0x00000024 call 00007FBD0D0D9CE9h 0x00000029 jns 00007FBD0D0D9CEAh 0x0000002f push ebx 0x00000030 push eax 0x00000031 pop eax 0x00000032 pop ebx 0x00000033 push eax 0x00000034 jmp 00007FBD0D0D9CF9h 0x00000039 mov eax, dword ptr [esp+04h] 0x0000003d push ecx 0x0000003e push edi 0x0000003f push esi 0x00000040 pop esi 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 mov eax, dword ptr [eax] 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4345EC second address: 4345F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4345F0 second address: 43460F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBD0D0D9CEEh 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 43460F second address: 434614 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434614 second address: 4346AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FBD0D0D9CE8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 jmp 00007FBD0D0D9CEEh 0x00000027 push 00000003h 0x00000029 sub dword ptr [ebp+122D2D4Ah], eax 0x0000002f push 00000000h 0x00000031 mov edx, dword ptr [ebp+122D2C76h] 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007FBD0D0D9CE8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Dh 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov ecx, dword ptr [ebp+122D2CAAh] 0x00000059 push 961475D1h 0x0000005e jnp 00007FBD0D0D9D19h 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FBD0D0D9CF8h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434766 second address: 434770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434770 second address: 434774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434774 second address: 434778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434778 second address: 434820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D29F2h] 0x0000000e push 00000000h 0x00000010 jns 00007FBD0D0D9CECh 0x00000016 or ecx, 45BD9D2Fh 0x0000001c push 4F355109h 0x00000021 pushad 0x00000022 jnc 00007FBD0D0D9CE8h 0x00000028 push edi 0x00000029 push esi 0x0000002a pop esi 0x0000002b pop edi 0x0000002c popad 0x0000002d xor dword ptr [esp], 4F355189h 0x00000034 clc 0x00000035 push 00000003h 0x00000037 push ebx 0x00000038 mov edx, 03CF7AF5h 0x0000003d pop edi 0x0000003e mov dword ptr [ebp+122D1C74h], edi 0x00000044 push 00000000h 0x00000046 pushad 0x00000047 jmp 00007FBD0D0D9CF7h 0x0000004c ja 00007FBD0D0D9CE7h 0x00000052 popad 0x00000053 push 00000003h 0x00000055 push 00000000h 0x00000057 push edx 0x00000058 call 00007FBD0D0D9CE8h 0x0000005d pop edx 0x0000005e mov dword ptr [esp+04h], edx 0x00000062 add dword ptr [esp+04h], 00000015h 0x0000006a inc edx 0x0000006b push edx 0x0000006c ret 0x0000006d pop edx 0x0000006e ret 0x0000006f jl 00007FBD0D0D9CEBh 0x00000075 sub si, 79D3h 0x0000007a call 00007FBD0D0D9CE9h 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007FBD0D0D9CEBh 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434820 second address: 434835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D1E3BE1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434835 second address: 43486E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jp 00007FBD0D0D9CECh 0x00000014 pop eax 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push ebx 0x0000001a jmp 00007FBD0D0D9CF1h 0x0000001f pop ebx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 43486E second address: 434872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434872 second address: 4348B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jo 00007FBD0D0D9CF6h 0x00000011 jmp 00007FBD0D0D9CF0h 0x00000016 pop eax 0x00000017 mov dx, 678Fh 0x0000001b lea ebx, dword ptr [ebp+12454441h] 0x00000021 jmp 00007FBD0D0D9CEAh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push esi 0x0000002b pop esi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4348B0 second address: 4348B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434991 second address: 434A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b js 00007FBD0D0D9CEAh 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov di, F9B5h 0x0000001a mov esi, dword ptr [ebp+122D2BCAh] 0x00000020 push 00000003h 0x00000022 push ecx 0x00000023 sbb cl, 00000072h 0x00000026 pop edx 0x00000027 push 00000000h 0x00000029 or cx, 7B9Fh 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FBD0D0D9CE8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jmp 00007FBD0D0D9CF3h 0x0000004f push CC1D1200h 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 pushad 0x00000058 popad 0x00000059 pop edi 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 434A00 second address: 434A0A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBD0D1E3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4457DC second address: 4457E6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4532D1 second address: 4532E1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBD0D1E3BD6h 0x00000008 jo 00007FBD0D1E3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453749 second address: 45377E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBD0D0D9CE6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBD0D0D9CEBh 0x00000013 pushad 0x00000014 jnc 00007FBD0D0D9CE6h 0x0000001a jmp 00007FBD0D0D9CF2h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453A0A second address: 453A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453A0E second address: 453A17 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453A17 second address: 453A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453CE2 second address: 453CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CECh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453E8B second address: 453E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453E8F second address: 453E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453E93 second address: 453E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 453E99 second address: 453EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D0D9CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45400F second address: 454030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BDFh 0x00000007 jmp 00007FBD0D1E3BDEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45417A second address: 454180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 454180 second address: 4541A6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FBD0D1E3BF2h 0x0000000e jmp 00007FBD0D1E3BE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4541A6 second address: 4541C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007FBD0D0D9CE6h 0x0000000c jmp 00007FBD0D0D9CF3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 44B752 second address: 44B756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 454E52 second address: 454E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CF7h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4550FE second address: 455102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458441 second address: 458447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458447 second address: 45844B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45844B second address: 45846E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBD0D0D9CF8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45846E second address: 45853D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FBD0D1E3BE4h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 cld 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e pushad 0x0000001f ja 00007FBD0D1E3BDCh 0x00000025 adc edx, 2927BD97h 0x0000002b sub bx, 3BEFh 0x00000030 popad 0x00000031 lea eax, dword ptr [ebp+124789ABh] 0x00000037 jl 00007FBD0D1E3BE1h 0x0000003d mov dword ptr [eax+01h], esp 0x00000040 cmc 0x00000041 lea eax, dword ptr [ebp+124789B1h] 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007FBD0D1E3BD8h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 00000017h 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 stc 0x00000062 jnc 00007FBD0D1E3BD7h 0x00000068 cld 0x00000069 mov dword ptr [eax+01h], ebp 0x0000006c jmp 00007FBD0D1E3BE1h 0x00000071 mov byte ptr [ebp+122D2D55h], 0000004Fh 0x00000078 jmp 00007FBD0D1E3BE1h 0x0000007d push 839F993Ah 0x00000082 js 00007FBD0D1E3BE0h 0x00000088 pushad 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 45754A second address: 45754E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458639 second address: 458661 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FBD0D1E3BD6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458661 second address: 458667 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458667 second address: 458689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FBD0D1E3BD6h 0x00000009 jl 00007FBD0D1E3BD6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jp 00007FBD0D1E3BD6h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 458689 second address: 4586DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jp 00007FBD0D0D9D01h 0x00000011 jg 00007FBD0D0D9CFBh 0x00000017 jmp 00007FBD0D0D9CF5h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FBD0D0D9CF9h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4586DF second address: 4586E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4586E3 second address: 4586E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4586E9 second address: 4586EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4586EF second address: 4586F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4586F3 second address: 4586F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4588C5 second address: 4588CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 414A4C second address: 414A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460AC2 second address: 460AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460AC6 second address: 460ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460ACC second address: 460AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBD0D0D9CEAh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007FBD0D0D9CEEh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42C0CE second address: 42C0D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42C0D4 second address: 42C0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FBD0D0D9CE8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460369 second address: 46036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460603 second address: 460612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007FBD0D0D9CE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460612 second address: 460634 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BDDh 0x00000007 jmp 00007FBD0D1E3BE1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46091A second address: 460937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460937 second address: 46093B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46093B second address: 460947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 460947 second address: 46094D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46094D second address: 460967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FBD0D0D9CF5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4626B7 second address: 4626BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462834 second address: 462852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462852 second address: 462856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462A36 second address: 462A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBD0D0D9CE6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462B36 second address: 462B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462C21 second address: 462C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462C25 second address: 462C2F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462CEA second address: 462CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462CFD second address: 462D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D1E3BDFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 462D10 second address: 462D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46317E second address: 463187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463187 second address: 46318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46318B second address: 4631F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FBD0D1E3BD8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 movsx esi, ax 0x00000027 nop 0x00000028 pushad 0x00000029 jns 00007FBD0D1E3BDCh 0x0000002f jmp 00007FBD0D1E3BE2h 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FBD0D1E3BE9h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4632AE second address: 4632B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4634A4 second address: 4634A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46363D second address: 463643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4636CC second address: 4636EF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov esi, eax 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007FBD0D1E3BDEh 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4636EF second address: 463720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBD0D0D9CEDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBD0D0D9CF9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 463720 second address: 463726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 464763 second address: 464767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 464767 second address: 46476D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 464F56 second address: 464F71 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD0D0D9CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007FBD0D0D9CF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 464F71 second address: 464F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46630E second address: 466360 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBD0D0D9CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d je 00007FBD0D0D9CF2h 0x00000013 jmp 00007FBD0D0D9CECh 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b xor esi, dword ptr [ebp+12465E02h] 0x00000021 pop esi 0x00000022 push 00000000h 0x00000024 xchg eax, ebx 0x00000025 jmp 00007FBD0D0D9CF6h 0x0000002a push eax 0x0000002b jo 00007FBD0D0D9CF4h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 464F75 second address: 464F79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 467954 second address: 4679EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FBD0D0D9CF0h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FBD0D0D9CE8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1C0Fh], esi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007FBD0D0D9CE8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e mov di, si 0x00000051 push 00000000h 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 pushad 0x00000056 jmp 00007FBD0D0D9CF3h 0x0000005b jmp 00007FBD0D0D9CF2h 0x00000060 popad 0x00000061 push eax 0x00000062 push edx 0x00000063 push edi 0x00000064 pop edi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 467699 second address: 46769E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46AA40 second address: 46AA6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FBD0D0D9CECh 0x00000011 jmp 00007FBD0D0D9CEEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4696EB second address: 4696EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46AA6A second address: 46AA75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FBD0D0D9CE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4696EF second address: 4696F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 422112 second address: 422116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 422116 second address: 422124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FBD0D1E3BDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 422124 second address: 422128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 422128 second address: 42212E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42212E second address: 422132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46E9C6 second address: 46EA35 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD0D1E3BDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+1246D60Fh], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FBD0D1E3BD8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007FBD0D1E3BD8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b mov ebx, dword ptr [ebp+122D2C62h] 0x00000051 or bh, FFFFFFFDh 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 pushad 0x00000057 jc 00007FBD0D1E3BD6h 0x0000005d pushad 0x0000005e popad 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 push ebx 0x00000063 pop ebx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46F9A6 second address: 46F9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FBD0D0D9CE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46F9B6 second address: 46F9BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 470A88 second address: 470A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D0D9CF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4736E6 second address: 4736EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4736EA second address: 4736F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 475756 second address: 4757C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 nop 0x00000009 movzx edi, bx 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FBD0D1E3BD8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 pushad 0x00000029 jmp 00007FBD0D1E3BDAh 0x0000002e mov dword ptr [ebp+122D34DCh], edi 0x00000034 popad 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007FBD0D1E3BD8h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 xchg eax, esi 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jnp 00007FBD0D1E3BD6h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4757C5 second address: 4757D2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47EC70 second address: 47EC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4769E0 second address: 4769F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4769F9 second address: 476A0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD0D1E3BDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 477A8A second address: 477A94 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479FE0 second address: 479FEA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47F304 second address: 47F35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c pop ebx 0x0000000d nop 0x0000000e mov bh, al 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FBD0D0D9CE8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c or bx, 00E7h 0x00000031 mov edi, eax 0x00000033 push 00000000h 0x00000035 movzx ebx, cx 0x00000038 xchg eax, esi 0x00000039 push ebx 0x0000003a jnp 00007FBD0D0D9CECh 0x00000040 jg 00007FBD0D0D9CE6h 0x00000046 pop ebx 0x00000047 push eax 0x00000048 jl 00007FBD0D0D9CF4h 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 477A94 second address: 477AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D1E3BDDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 479FEA second address: 479FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBD0D0D9CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47A0BE second address: 47A0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBD0D1E3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48028C second address: 4802BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push ecx 0x00000008 jnp 00007FBD0D0D9CECh 0x0000000e pop ecx 0x0000000f nop 0x00000010 sub di, 1682h 0x00000015 push 00000000h 0x00000017 mov bx, di 0x0000001a sub dword ptr [ebp+122D2F1Dh], ecx 0x00000020 push 00000000h 0x00000022 mov ebx, dword ptr [ebp+122D2BC2h] 0x00000028 push eax 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 482CA5 second address: 482CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FBD0D1E3BE1h 0x0000000b jmp 00007FBD0D1E3BDBh 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FBD0D1E3BD6h 0x00000018 ja 00007FBD0D1E3BD6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48AF43 second address: 48AF59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48AF59 second address: 48AF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41811B second address: 41811F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A66D second address: 48A685 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FBD0D1E3BDEh 0x00000010 jc 00007FBD0D1E3BD6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A7D0 second address: 48A7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A7D4 second address: 48A7E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A7E2 second address: 48A7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A7FF second address: 48A828 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBD0D1E3BDCh 0x0000000c jbe 00007FBD0D1E3BD6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBD0D1E3BE1h 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A828 second address: 48A833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBD0D0D9CE6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A833 second address: 48A83D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBD0D1E3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48A83D second address: 48A84A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48AB26 second address: 48AB2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48F9BD second address: 48F9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48F9C1 second address: 48F9C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4948FC second address: 494915 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jne 00007FBD0D0D9CF8h 0x00000011 js 00007FBD0D0D9CECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494AA1 second address: 494AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494AA5 second address: 494ACE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FBD0D0D9CE8h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494ACE second address: 494AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 494DCA second address: 494DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBD0D0D9CE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 495098 second address: 49509C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 495333 second address: 495338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49ACE6 second address: 49AD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49AD05 second address: 49AD09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49AD09 second address: 49AD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4998D8 second address: 4998DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4998DF second address: 49990A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE7h 0x00000007 push edi 0x00000008 jmp 00007FBD0D1E3BDFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 499A32 second address: 499A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 499E7F second address: 499E8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FBD0D1E3BD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 499E8E second address: 499E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 499E94 second address: 499E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 499E9D second address: 499ECE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF5h 0x00000007 ja 00007FBD0D0D9CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jnp 00007FBD0D0D9CECh 0x00000017 jbe 00007FBD0D0D9CE6h 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49A3D7 second address: 49A3F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE0h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnc 00007FBD0D1E3BD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49A52B second address: 49A54E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF9h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4165AA second address: 4165C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4165C3 second address: 4165E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBD0D0D9CF6h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49AAFC second address: 49AB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE2h 0x00000009 jp 00007FBD0D1E3BD6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49AB19 second address: 49AB81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF4h 0x00000007 pushad 0x00000008 jmp 00007FBD0D0D9CF9h 0x0000000d jmp 00007FBD0D0D9CF5h 0x00000012 jmp 00007FBD0D0D9CF9h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49AB81 second address: 49ABBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FBD0D1E3BD8h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FBD0D1E3BDEh 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FBD0D1E3BE5h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 499494 second address: 49949A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 49949A second address: 4994A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4994A7 second address: 4994AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2BAF second address: 4A2BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2BB3 second address: 4A2BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2BB9 second address: 4A2BBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A1AC5 second address: 4A1AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46B6CE second address: 44B752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007FBD0D1E3BD6h 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 jc 00007FBD0D1E3BEDh 0x0000001b call dword ptr [ebp+122D2FCAh] 0x00000021 jmp 00007FBD0D1E3BE0h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46BBB1 second address: 46BBBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBD0D0D9CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46BD2C second address: 46BD51 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007FBD0D1E3BD6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 6BFA8C25h 0x00000013 and cl, FFFFFFA8h 0x00000016 push 4F68897Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e jbe 00007FBD0D1E3BD6h 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46C1A0 second address: 46C21B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FBD0D0D9CE6h 0x00000009 jmp 00007FBD0D0D9CF1h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007FBD0D0D9CF8h 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FBD0D0D9CE8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 adc di, 4377h 0x00000037 push 00000004h 0x00000039 jmp 00007FBD0D0D9CF2h 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 push esi 0x00000043 pop esi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46C8BE second address: 46C8C8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46C9C9 second address: 46C9F4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD0D0D9CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jnl 00007FBD0D0D9CE8h 0x00000013 lea eax, dword ptr [ebp+1248B459h] 0x00000019 add edi, 4A78A901h 0x0000001f nop 0x00000020 jc 00007FBD0D0D9CF4h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46C9F4 second address: 46CA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBD0D1E3BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A21B9 second address: 4A21BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A235A second address: 4A2367 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2367 second address: 4A2385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CF8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A2385 second address: 4A23A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBD0D1E3BDFh 0x0000000c jc 00007FBD0D1E3BD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A23A1 second address: 4A23C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF4h 0x00000007 jc 00007FBD0D0D9CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A23C5 second address: 4A23C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A23C9 second address: 4A23D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A906A second address: 4A9081 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBD0D1E3BDCh 0x00000008 pushad 0x00000009 jns 00007FBD0D1E3BD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9081 second address: 4A9093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBD0D0D9CE6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9093 second address: 4A9099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7E3D second address: 4A7E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FBD0D0D9CEEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBD0D0D9CF3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8348 second address: 4A8380 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBD0D1E3BD6h 0x00000008 js 00007FBD0D1E3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007FBD0D1E3BF0h 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007FBD0D1E3BE8h 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8380 second address: 4A838B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A838B second address: 4A83A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE6h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8502 second address: 4A8508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8508 second address: 4A850E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7AFC second address: 4A7B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7B02 second address: 4A7B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7B07 second address: 4A7B0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A7B0C second address: 4A7B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE4h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A87E2 second address: 4A87E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A87E8 second address: 4A8807 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007FBD0D1E3BD6h 0x00000013 popad 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007FBD0D1E3BD8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8957 second address: 4A895C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A895C second address: 4A8970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jne 00007FBD0D1E3BDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8A8B second address: 4A8A99 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8A99 second address: 4A8A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8A9D second address: 4A8AB3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007FBD0D0D9CE6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8AB3 second address: 4A8AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8D72 second address: 4A8D98 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBD0D0D9CF4h 0x00000011 jo 00007FBD0D0D9CE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A8D98 second address: 4A8DA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FBD0D1E3BD6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED57 second address: 41ED5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED5B second address: 41ED60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED60 second address: 41ED71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED71 second address: 41ED75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED75 second address: 41ED79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED79 second address: 41ED83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED83 second address: 41ED88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 41ED88 second address: 41ED98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBD0D1E3BD6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE97E second address: 4AE984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE984 second address: 4AE988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B14E1 second address: 4B14F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBD0D0D9CEBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B14F6 second address: 4B150F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B17F5 second address: 4B17FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B3325 second address: 4B332B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B332B second address: 4B3332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8680 second address: 4B86A7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBD0D1E3BD6h 0x00000008 jmp 00007FBD0D1E3BE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B86A7 second address: 4B86AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B86AB second address: 4B86C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B86C9 second address: 4B86EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD0D0D9CF9h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B86EE second address: 4B86F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B86F4 second address: 4B86FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8853 second address: 4B8857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8857 second address: 4B8883 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF0h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FBD0D0D9CECh 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8883 second address: 4B8889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8889 second address: 4B889E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD0D0D9CEEh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B889E second address: 4B88B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D1E3BDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B88B0 second address: 4B88DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CEDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FBD0D0D9CE6h 0x00000013 jmp 00007FBD0D0D9CF1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46C4C6 second address: 46C4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46C4CA second address: 46C4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8D1C second address: 4B8D26 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBD0D1E3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE7F3 second address: 4BE7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE7F9 second address: 4BE802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE802 second address: 4BE806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE806 second address: 4BE80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE80A second address: 4BE810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDB45 second address: 4BDB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDB50 second address: 4BDB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDB54 second address: 4BDB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDC8E second address: 4BDCE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FBD0D0D9CECh 0x0000000f jno 00007FBD0D0D9CE6h 0x00000015 jmp 00007FBD0D0D9CF1h 0x0000001a popad 0x0000001b push ecx 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f pop edx 0x00000020 js 00007FBD0D0D9CF7h 0x00000026 jmp 00007FBD0D0D9CEBh 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDE06 second address: 4BDE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE0D4 second address: 4BE0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FBD0D0D9CE6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FBD0D0D9CF1h 0x00000016 jmp 00007FBD0D0D9CEBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE240 second address: 4BE24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE3C2 second address: 4BE3E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jl 00007FBD0D0D9D0Dh 0x0000000f jmp 00007FBD0D0D9CECh 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1800 second address: 4C1806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1806 second address: 4C1830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007FBD0D0D9CE6h 0x0000000c popad 0x0000000d jmp 00007FBD0D0D9CF7h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10BA second address: 4C10C6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBD0D1E3BD6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10C6 second address: 4C10CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9AE3 second address: 4C9AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8273 second address: 4C8277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C88CA second address: 4C88D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8B8D second address: 4C8BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FBD0D0D9CE6h 0x00000015 jmp 00007FBD0D0D9CF5h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8E47 second address: 4C8E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8E4B second address: 4C8E79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF6h 0x00000007 jmp 00007FBD0D0D9CF0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8E79 second address: 4C8E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBD0D1E3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D126A second address: 4D129A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD0D0D9CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FBD0D0D9CEBh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FBD0D0D9CEDh 0x0000001b popad 0x0000001c pop esi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D129A second address: 4D129E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D129E second address: 4D12AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D12AE second address: 4D12BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jbe 00007FBD0D1E3BD6h 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1522 second address: 4D1526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1526 second address: 4D152A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D194B second address: 4D1951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1951 second address: 4D1955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1AA8 second address: 4D1AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1AAC second address: 4D1AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1AB4 second address: 4D1ADA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD0D0D9CEEh 0x00000008 jng 00007FBD0D0D9CE6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FBD0D0D9CF2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1ADA second address: 4D1B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBD0D1E3BE3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1B08 second address: 4D1B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007FBD0D0D9CF4h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBD0D0D9CF3h 0x00000014 jmp 00007FBD0D0D9CF1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D7DD9 second address: 4D7DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D7DDF second address: 4D7DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D7DE7 second address: 4D7DF3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBD0D1E3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D8084 second address: 4D80C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF4h 0x00000007 jbe 00007FBD0D0D9CE8h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jne 00007FBD0D0D9CE6h 0x00000019 jmp 00007FBD0D0D9CF6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80C4 second address: 4D80CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80CD second address: 4D80DC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D88E1 second address: 4D88EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D88EA second address: 4D88F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D915E second address: 4D917E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBD0D1E3BE5h 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D917E second address: 4D918F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CECh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D98B4 second address: 4D98B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE708 second address: 4DE723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2982 second address: 4E2993 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2993 second address: 4E29F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FBD0D0D9CF8h 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FBD0D0D9CECh 0x00000015 jmp 00007FBD0D0D9CF5h 0x0000001a pushad 0x0000001b jmp 00007FBD0D0D9CF7h 0x00000020 jp 00007FBD0D0D9CE6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2339 second address: 4E2351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FBD0D1E3BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FBD0D1E3BD8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2351 second address: 4E2357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E2357 second address: 4E235B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E235B second address: 4E235F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E247B second address: 4E24B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jmp 00007FBD0D1E3BE7h 0x0000000c popad 0x0000000d jc 00007FBD0D1E3BE2h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 ja 00007FBD0D1E3BE2h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0652 second address: 4F0658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42A586 second address: 42A5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 js 00007FBD0D1E3BD6h 0x0000000c jmp 00007FBD0D1E3BDFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42A5A3 second address: 42A5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42A5A8 second address: 42A5AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42A5AE second address: 42A5B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0263 second address: 4F0267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0267 second address: 4F026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5581 second address: 4F5598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FBD0D1E3BDEh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4256A0 second address: 4256CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FBD0D0D9CEDh 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBD0D0D9CF2h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4256CA second address: 4256E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE3h 0x00000009 jg 00007FBD0D1E3BD6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5130 second address: 4F5134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5134 second address: 4F5155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBD0D1E3BE2h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5155 second address: 4F515B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F515B second address: 4F5163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5163 second address: 4F5167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FDB0B second address: 4FDB0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FDB0F second address: 4FDB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5047D4 second address: 5047EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE0h 0x00000009 jne 00007FBD0D1E3BD6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5047EF second address: 5047F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0D7 second address: 50C0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0DD second address: 50C0E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C231 second address: 50C259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE7h 0x00000009 push esi 0x0000000a jmp 00007FBD0D1E3BDAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C3F0 second address: 50C3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510BA7 second address: 510BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510BAB second address: 510BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510BAF second address: 510BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510BB5 second address: 510BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510BBB second address: 510C04 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBD0D1E3BECh 0x00000008 push edx 0x00000009 jmp 00007FBD0D1E3BDBh 0x0000000e jmp 00007FBD0D1E3BE2h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007FBD0D1E3BD8h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510C04 second address: 510C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51AA59 second address: 51AA66 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBD0D1E3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51AA66 second address: 51AA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51AA6B second address: 51AA9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBD0D1E3BE3h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C59D second address: 52C5A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52DCCD second address: 52DCD7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBD0D1E3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FC08 second address: 52FC29 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBD0D0D9CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBD0D0D9CF5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FC29 second address: 52FC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FC31 second address: 52FC4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBD0D0D9CEBh 0x0000000f push edx 0x00000010 jnp 00007FBD0D0D9CE6h 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FC4E second address: 52FC53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FC53 second address: 52FC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CEBh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53147F second address: 5314A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBD0D1E3BE8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5314A0 second address: 5314C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBD0D0D9CF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5314C2 second address: 5314DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a js 00007FBD0D1E3BFDh 0x00000010 js 00007FBD0D1E3BE2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 531295 second address: 5312B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CF8h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AAFD second address: 54AB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AB11 second address: 54AB15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AB15 second address: 54AB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AB1B second address: 54AB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AB21 second address: 54AB28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54AB28 second address: 54AB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D0D9CEFh 0x00000009 jp 00007FBD0D0D9CE6h 0x0000000f popad 0x00000010 jns 00007FBD0D0D9CFDh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edi 0x00000019 jmp 00007FBD0D0D9CECh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549A1E second address: 549A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549A22 second address: 549A44 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jc 00007FBD0D0D9CE6h 0x00000011 jmp 00007FBD0D0D9CEDh 0x00000016 pop ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549A44 second address: 549A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549CEB second address: 549CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549CEF second address: 549CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549E36 second address: 549E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549E3A second address: 549E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD0D1E3BE7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jo 00007FBD0D1E3BF4h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBD0D1E3BE2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549E72 second address: 549E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A3F2 second address: 54A3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A3F6 second address: 54A3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A3FA second address: 54A404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D71F second address: 54D725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D725 second address: 54D729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D729 second address: 54D737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D737 second address: 54D73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D73E second address: 54D7B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D0D9CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dl, ch 0x0000000c push 00000004h 0x0000000e mov dx, di 0x00000011 mov dword ptr [ebp+122D394Fh], eax 0x00000017 call 00007FBD0D0D9CE9h 0x0000001c jnc 00007FBD0D0D9CF8h 0x00000022 push eax 0x00000023 jmp 00007FBD0D0D9CF4h 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c jmp 00007FBD0D0D9CEBh 0x00000031 mov eax, dword ptr [eax] 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D7B5 second address: 54D7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54DA66 second address: 54DA6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54DA6A second address: 54DA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007FBD0D1E3BD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54DA79 second address: 54DA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FBD0D0D9CE8h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54DA8A second address: 54DA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54DA90 second address: 54DA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 550537 second address: 550566 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD0D1E3BE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBD0D1E3BE8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 552440 second address: 552446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60C54 second address: 4E60C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60C5A second address: 4E60C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60C5E second address: 4E60C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60C62 second address: 4E60CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FBD0D0D9CF2h 0x00000015 sbb si, 1F18h 0x0000001a jmp 00007FBD0D0D9CEBh 0x0000001f popfd 0x00000020 mov ax, 56CFh 0x00000024 popad 0x00000025 test ecx, ecx 0x00000027 pushad 0x00000028 mov esi, 359B50C7h 0x0000002d pushad 0x0000002e mov di, si 0x00000031 pushfd 0x00000032 jmp 00007FBD0D0D9CF6h 0x00000037 and cl, FFFFFFA8h 0x0000003a jmp 00007FBD0D0D9CEBh 0x0000003f popfd 0x00000040 popad 0x00000041 popad 0x00000042 jns 00007FBD0D0D9D2Bh 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60CDA second address: 4E60CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD0D1E3BE8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60CF6 second address: 4E60D0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBD0D0D9CEAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60D0C second address: 4E60D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 2C416014h 0x00000008 mov eax, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax+00000860h] 0x00000013 jmp 00007FBD0D1E3BDFh 0x00000018 test eax, eax 0x0000001a jmp 00007FBD0D1E3BE6h 0x0000001f je 00007FBD7DDF9BEFh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60D52 second address: 4E60D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60D56 second address: 4E60D5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46567A second address: 465684 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBD0D0D9CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2B3CD8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 4584D5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 4819F0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 46B855 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2B3BE1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 4E5718 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6644	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 320	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2083733508.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.2083594000.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00295BB0 LdrInitializeThunk,

0_2_00295BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: |Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	46%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
bathdoomgaz.store	14%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
eaglepawnoy.store	18%	Virustotal	Browse
mobbipenju.store	14%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse
spirittunek.store	14%	Virustotal	Browse
dissapoiznw.store	14%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	0%	Virustotal		Browse
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	0%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://steamcommunity.com	0%	Virustotal		Browse
https://sketchfab.com	0%	Virustotal		Browse
http://127.0.0.1:27060	0%	Virustotal		Browse
clearancek.site	18%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
mobbipenju.store	14%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	Virustotal		Browse
https://www.google.com/recaptcha/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	true	18%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	true	14%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	true	14%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	true	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	true	14%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dissapoiznw.storec	true		unknown
studennotediw.storec	true		unknown
licendfilteo.sitec	true		unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
bathdoomgaz.storec	true		unknown
eaglepawnoy.storec	true		unknown
mobbipenju.store	true	14%, Virustotal, Browse	unknown
spirittunek.storec	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000002.2083733508.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.youtube.com	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sketchfab.com	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083594000.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082791539.0000000001060000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000002.2083733508.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082935416.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082831639.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2083768341.000000000102C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2082972525.000000000100D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2082791539.0000000001065000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528824
Start date and time:	2024-10-08 10:27:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:28:18	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	main.bin	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lHHfXU6Y37.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	7AeSqNv1rC.exe	Get hash	malicious	MicroClip, Vidar	Browse	104.102.49.254
	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	na.elf	Get hash	malicious	Mirai	Browse	23.41.157.216
	na.elf	Get hash	malicious	Mirai	Browse	104.86.71.39
	na.elf	Get hash	malicious	Mirai	Browse	104.85.197.114
	na.elf	Get hash	malicious	Unknown	Browse	172.229.225.204
	na.elf	Get hash	malicious	Unknown	Browse	172.225.218.141
	na.elf	Get hash	malicious	Unknown	Browse	104.80.152.78
	na.elf	Get hash	malicious	Unknown	Browse	23.35.142.17
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	main.bin	Get hash	malicious	Unknown	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Oilmax Systems Updated.xls	Get hash	malicious	Unknown	Browse	104.102.49.254
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lHHfXU6Y37.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.947295183253625
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'874'432 bytes
MD5:	e1f54d2c6f204549c2b9b802fe2102e1
SHA1:	cdb2dd37db40e9a646923b21d6a6130bcf6a9019
SHA256:	f930a52a2107da490787657629a889c86714dd2fa9dbd7a18ac31866811ec6e9
SHA512:	357300a8fee21656563086dc7f17bac0db5cd080787b6735a4deb865192bb66a085b9ced01c7cf56ad3ed03e36cdd4c99eba92ff1ffb016952dae035c0c83590
SSDEEP:	49152:U9iLI2wAEECzTxEiafjxR1LbBRtvgFK1zZ:RLdwAuxH0xR+a
TLSH:	E785331838A25894DD3C2AB38A2BE72AD0774D457D3E7B106F507F78E5A7721984B323
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@...........................K...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ae000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBD0CD32E1Ah
vmread dword ptr [eax+eax], ebx
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FBD0CD34E15h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	92efcf253039b3bc16782792d44e6d60	False	0.9995229991749175	data	7.978826416299808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2ac000	0x200	885f714da187c14667ed0b21b1f09cc9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vjquvwqo	0x30c000	0x1a1000	0x1a0200	ce2750be20627f63ce333d89ddbc34d7	False	0.9939035981150496	data	7.952772812576185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
sjkzxxvz	0x4ad000	0x1000	0x400	460844934a5f7b52505ce4466b170823	False	0.861328125	data	6.511164203374897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ae000	0x3000	0x2200	a8f6dc8d0c74521d131f01b4e44ef64a	False	0.0642233455882353	DOS executable (COM)	0.818551592930446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T10:28:18.859753+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.5	56330	1.1.1.1	53	UDP
2024-10-08T10:28:18.895109+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.5	55397	1.1.1.1	53	UDP
2024-10-08T10:28:18.906777+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.5	63181	1.1.1.1	53	UDP
2024-10-08T10:28:18.918855+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.5	58088	1.1.1.1	53	UDP
2024-10-08T10:28:18.929330+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.5	56822	1.1.1.1	53	UDP
2024-10-08T10:28:18.939133+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.5	49600	1.1.1.1	53	UDP
2024-10-08T10:28:18.955092+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.5	51517	1.1.1.1	53	UDP
2024-10-08T10:28:18.965400+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.5	57861	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:28:19.034123898 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:19.034176111 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:19.034560919 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:19.035604000 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:19.035639048 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:19.683419943 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:19.683516979 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:19.685910940 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:19.685957909 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:19.686362028 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:19.731539011 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:19.779448986 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182502985 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182569027 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182621002 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182635069 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182651043 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182698965 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.182739973 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.182782888 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.182812929 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.269840002 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.269922018 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.270019054 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.270241976 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.271727085 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.271760941 CEST	443	49705	104.102.49.254	192.168.2.5
Oct 8, 2024 10:28:20.271794081 CEST	49705	443	192.168.2.5	104.102.49.254
Oct 8, 2024 10:28:20.271809101 CEST	443	49705	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:28:18.859752893 CEST	56330	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.869426966 CEST	53	56330	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.895108938 CEST	55397	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.904707909 CEST	53	55397	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.906776905 CEST	63181	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.917838097 CEST	53	63181	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.918854952 CEST	58088	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.928332090 CEST	53	58088	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.929330111 CEST	56822	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.938179016 CEST	53	56822	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.939132929 CEST	49600	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.948596954 CEST	53	49600	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.955091953 CEST	51517	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.964405060 CEST	53	51517	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:18.965399981 CEST	57861	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:18.973546982 CEST	53	57861	1.1.1.1	192.168.2.5
Oct 8, 2024 10:28:19.007023096 CEST	51619	53	192.168.2.5	1.1.1.1
Oct 8, 2024 10:28:19.014523983 CEST	53	51619	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 10:28:18.859752893 CEST	192.168.2.5	1.1.1.1	0x3745	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.895108938 CEST	192.168.2.5	1.1.1.1	0x1500	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.906776905 CEST	192.168.2.5	1.1.1.1	0x8156	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.918854952 CEST	192.168.2.5	1.1.1.1	0x2a52	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.929330111 CEST	192.168.2.5	1.1.1.1	0x6864	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.939132929 CEST	192.168.2.5	1.1.1.1	0xb1f	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.955091953 CEST	192.168.2.5	1.1.1.1	0xbaf2	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.965399981 CEST	192.168.2.5	1.1.1.1	0xd238	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:19.007023096 CEST	192.168.2.5	1.1.1.1	0x4ace	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 10:28:18.869426966 CEST	1.1.1.1	192.168.2.5	0x3745	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.904707909 CEST	1.1.1.1	192.168.2.5	0x1500	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.917838097 CEST	1.1.1.1	192.168.2.5	0x8156	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.928332090 CEST	1.1.1.1	192.168.2.5	0x2a52	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.938179016 CEST	1.1.1.1	192.168.2.5	0x6864	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.948596954 CEST	1.1.1.1	192.168.2.5	0xb1f	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.964405060 CEST	1.1.1.1	192.168.2.5	0xbaf2	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:18.973546982 CEST	1.1.1.1	192.168.2.5	0xd238	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:28:19.014523983 CEST	1.1.1.1	192.168.2.5	0x4ace	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.102.49.254	443	1240	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 08:28:19 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 08:28:20 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 08:28:20 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=1f0667392115721ceb58f8ad; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 08:28:20 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 08:28:20 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	0
Start time:	04:28:16
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x250000
File size:	1'874'432 bytes
MD5 hash:	E1F54D2C6F204549C2B9B802FE2102E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	66.7%
Total number of Nodes:	45
Total number of Limit Nodes:	4

Executed Functions

Function 0025FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 0025FCBE
V, xrefs: 0025FEDC
VY^_, xrefs: 0025FDFF
J|BJ, xrefs: 0026000D

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 1288acca0d06a35c6c0b41c2a06ed2baa787154bdf58404527e710919bb65544
Instruction ID: 4a7a530b0619d74a0d38b268e5581c302b5bbbbd19f4ae5f2c5ac52857adc2ce
Opcode Fuzzy Hash: 1288acca0d06a35c6c0b41c2a06ed2baa787154bdf58404527e710919bb65544
Instruction Fuzzy Hash: 53D1A97452C3819BD311DF14D590A1FBBE1AB92B45F14885CF8C88B252C336CD99EB96

Function 0025D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0025D2F0

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 042047cf30271ac977add29322e1abe108f80fc46fae5f8c688f4cf0df38525b
Instruction ID: d941a84638aa7d5f2d8b424383195335a7a746b53e224448cff4916aca755838
Opcode Fuzzy Hash: 042047cf30271ac977add29322e1abe108f80fc46fae5f8c688f4cf0df38525b
Instruction Fuzzy Hash: BD41457042D340ABD721BF64D184A2EFBE5AF52746F048C0CE9C497212C336D8688B6B

Function 00295700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00295784

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d23e50d9e428dadd0d9c5f70900932c8521840663da05487de0d0f091527f8c0
Instruction ID: 852ac9a0102f11b769994bbbf17ee67a6d5dc5e551f7ddd5c3116bfe689feb09
Opcode Fuzzy Hash: d23e50d9e428dadd0d9c5f70900932c8521840663da05487de0d0f091527f8c0
Instruction Fuzzy Hash: CD11917192C250EBC702EF58E845A1BFBF9AF86710F05882CF4C49B221D735D921CB96

Function 00295BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0029973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00295BDE

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0029695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 002969C5

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9e88f85065c47faee8e4b6586caa45c1267495e3e9dfc2aa7c45a2faaeacc1dc
Instruction ID: 5c02e0a019dbd971a961ab4d824df1bf80c4ab4492b5034019126dad2b22d714
Opcode Fuzzy Hash: 9e88f85065c47faee8e4b6586caa45c1267495e3e9dfc2aa7c45a2faaeacc1dc
Instruction Fuzzy Hash: 4B3198B05283029FDB18DF14D8A8B2BB7F1EF85344F08881CE5C6A7261E7349924CB56

Function 0026049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfa595bd3e577ca2f16ce5a50c097acbb5d341732729e02e2675f071031a6ef
Instruction ID: be6a1d30c0c06674db23be2267b9dad071df1fca547b83cb326e474d0d47b4e9
Opcode Fuzzy Hash: ccfa595bd3e577ca2f16ce5a50c097acbb5d341732729e02e2675f071031a6ef
Instruction Fuzzy Hash: 76916A75210B00CFD724CF25E898A17B7FAFF89314B118A6DE856CBAA1DB71E815CB50

Function 00260228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a9d772e1dc002fe8089d5baf305e78a5abf33f3d7bc5b3ba9976795babd0ce
Instruction ID: f3a5a2a5ead6653ca8b6c334f61c8ebcc612a86e02dd4355b96c98713d284a1f
Opcode Fuzzy Hash: 19a9d772e1dc002fe8089d5baf305e78a5abf33f3d7bc5b3ba9976795babd0ce
Instruction Fuzzy Hash: E5717974210700DFD7648F21E898A17B7BAFF8A311F208969E846CB662DB71E825CB50

Function 002999D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc0f45f724d85ea22c02d517c617bc25d6e4d81674bda2cb6dc94baff305bde
Instruction ID: 5eaab9b4ecd8b077d13b7e3d2c5b7bb2186e99781715838f0389f02bf60a8a6b
Opcode Fuzzy Hash: 3bc0f45f724d85ea22c02d517c617bc25d6e4d81674bda2cb6dc94baff305bde
Instruction Fuzzy Hash: 68419134228311ABDB14DF19E8A0B2FF7E5EB96724F14882CE58997251D335D861CB52

Function 002963B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8cd710e7f708d21521db615d8b65505b3fe3911d1013bcfe202331b49fc3d37
Instruction ID: b0e92c6e782fbe95fba0e705b9bed7e6f535b0d5dfc3d6b312b8e68ab4d5aaec
Opcode Fuzzy Hash: c8cd710e7f708d21521db615d8b65505b3fe3911d1013bcfe202331b49fc3d37
Instruction Fuzzy Hash: 5331E370219302BBDA24DA04DD8AF3BB7E5EB81B50F64551CF1816A2E1D770A8209B56

Function 00260EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ff70f8de269ff61cc417e80cc55d1aa0cf939f584ee7675ff4b218c3842277
Instruction ID: bbc7aec83a7f384bc5b8a7eaade7055891ae04fdfa7ccf09e16ccd97b8617858
Opcode Fuzzy Hash: d6ff70f8de269ff61cc417e80cc55d1aa0cf939f584ee7675ff4b218c3842277
Instruction Fuzzy Hash: FB2148B491021A8FDB14CF94CC90BBEBBB1FB4A300F244849E411BB282C775A951CFA4

Function 0050686D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 005075F1

Strings

V, xrefs: 005075C2

Memory Dump Source

Source File: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: V
API String ID: 544645111-1342839628
Opcode ID: b2aaf0674d072a2e6dade9855c8c084428d68e192ed2322cfeb167636bfe037c
Instruction ID: 99ed0c93206e4569af5a02fc4d13afb05c998cd5a363b6ee69155edfb1b90e4e
Opcode Fuzzy Hash: b2aaf0674d072a2e6dade9855c8c084428d68e192ed2322cfeb167636bfe037c
Instruction Fuzzy Hash: EC2136B250860ECFDB11AF18CC8AABE7BE1FF48300F110519D59187AA4DB72AC50CF55

Function 00293220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 002932A6

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8bd18c17ad0409addda6d08dc145db9d854e6fc73e4da1a93c887d5b27b182ce
Instruction ID: 3bdfca931d84c576795c48b0d6fb90da7541acae994d1b48ed7490b382b12b43
Opcode Fuzzy Hash: 8bd18c17ad0409addda6d08dc145db9d854e6fc73e4da1a93c887d5b27b182ce
Instruction Fuzzy Hash: B6016D3490D2409BCB01EF18E849A1ABBE8EF4A700F05485CE5C58B361D735DD60CB96

Function 00293202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00293208

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 735a5ca61b311472e20e2086052cf8b6c82cb3a240dc82cae19316f396db63b8
Instruction ID: db0966d3b37ba242279b44ca3f2e0e8f96c2fb550367a1ac843b21e1bb8f47f5
Opcode Fuzzy Hash: 735a5ca61b311472e20e2086052cf8b6c82cb3a240dc82cae19316f396db63b8
Instruction Fuzzy Hash: 73B012340800005FDA081B00FC0EF003510EB00605F800090E101040B1D5615864C554

Non-executed Functions

Function 0026DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

tuJK, xrefs: 0026E967
DCBA, xrefs: 0026E887, 0026E896
<=:;, xrefs: 0026E930
T, xrefs: 0026F157
:WUE, xrefs: 0026F6B7, 0026F6C6
LKJI, xrefs: 0026E6E6
AR, xrefs: 0026DD10
`onm, xrefs: 0026E733
89>?, xrefs: 0026E9F6
xgfe, xrefs: 0026E71D
@ONM, xrefs: 0026E6DB
|, xrefs: 0026ECB1
()./, xrefs: 0026E9CA
`Y^_, xrefs: 0026E99E
lkji, xrefs: 0026E73E
89&', xrefs: 0026E93B
mjkh, xrefs: 0026E7D8
QNOL, xrefs: 0026E775
<=2, xrefs: 0026EA01
WP, xrefs: 0026DCEF
D, xrefs: 0026E846
%*+(, xrefs: 0026DE37, 0026DE46
tsrq, xrefs: 0026E6FC
dcba, xrefs: 0026E728

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 185e200bc6583ea3345fd22663ed8a645b5f5730197f21ee5b5521451921706f
Instruction ID: cc62a970b80a6aa5dcebbfb835f903eb9ad80786f98d6ca5429a5ccd50e89975
Opcode Fuzzy Hash: 185e200bc6583ea3345fd22663ed8a645b5f5730197f21ee5b5521451921706f
Instruction Fuzzy Hash: 97F28AB45193829BDB70CF14D484BAFBBE6BFD5304F54482CE4C987251EB7198A4CB92

Function 002823E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

|}&C, xrefs: 00282F21
3<, xrefs: 002832D6
%*+(, xrefs: 002840EF
:, xrefs: 002832DD
mlc@, xrefs: 0028275C
ggxz, xrefs: 00282685
aenQ, xrefs: 0028276A
{l`~, xrefs: 0028268C
fedc, xrefs: 00282782
Cx, xrefs: 0028453D
`tii, xrefs: 00282693
f@~!, xrefs: 002825FF

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 08ef18dd8e4c3c6691e1c9baec00dbb9fec6ff189feeba0416acc73cf5485805
Instruction ID: 49b26fcf579f54257a432c4f7ec59eca278824ee857d9f1c1b438a3312f73e7d
Opcode Fuzzy Hash: 08ef18dd8e4c3c6691e1c9baec00dbb9fec6ff189feeba0416acc73cf5485805
Instruction Fuzzy Hash: 5433DC74126B81CFD725DF38C590762BBE1BF16304F58898DD4DA8BA82C735E816CBA1

Function 00279F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

N[, xrefs: 0027A375
%e6g, xrefs: 0027A152
_Y, xrefs: 0027A641
S], xrefs: 0027A636
WQ, xrefs: 0027A62B
]{, xrefs: 0027A1E7, 0027A1F3
?m,o, xrefs: 0027A13C
kW, xrefs: 0027A380
hi, xrefs: 0027AB9D
JG, xrefs: 0027AA27
sm, xrefs: 0027A830
Gt, xrefs: 00279FF8
(a*c, xrefs: 0027A147
WH, xrefs: 0027AA1C
/), xrefs: 0027A66D
CG, xrefs: 0027AA32
=], xrefs: 0027A36A

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 282397a01f86d7c0081c4beea4aa5b09905114ba988af3c6f6e6e33f9bc1b3ce
Instruction ID: fedb22a86f6005e08306287048c5bac0fdb48bdcc0a44df4a80147954bd30acd
Opcode Fuzzy Hash: 282397a01f86d7c0081c4beea4aa5b09905114ba988af3c6f6e6e33f9bc1b3ce
Instruction Fuzzy Hash: B452C6B800D385CAE270CF25D581B8EBAF1BB92740F608A1DE5ED9B255DBB08045CF93

Function 00279510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

pq, xrefs: 002799E0
z=Q?, xrefs: 00279826
2A"_, xrefs: 00279980
?M0K, xrefs: 00279968
8;, xrefs: 00279B13
G'M!, xrefs: 00279ADB
G+X5, xrefs: 00279AF3
O+f), xrefs: 00279634, 0027963D
B7U1, xrefs: 00279AFB
B?Q9, xrefs: 00279B0B
X/R), xrefs: 00279AEB
L3Y=, xrefs: 00279B03
;IJK, xrefs: 0027983E
,A&C, xrefs: 0027982E
T#a-, xrefs: 00279AE3
!E4G, xrefs: 00279836

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 6d5bad265cb302a28fd746f76835ac25de5f97b04bed4a527888bf8634d69120
Instruction ID: a6bebdfc94402c2af8f132863e515c59479d2aafc2a20a3f1f3e5c24f060ed81
Opcode Fuzzy Hash: 6d5bad265cb302a28fd746f76835ac25de5f97b04bed4a527888bf8634d69120
Instruction Fuzzy Hash: BEF14EB0428381ABD310DF15D881A2BBBF4FB8AB48F548D1CF4D99B252D374D958CB96

Function 0027DD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON

Download Yara Rule

Strings

n\+H, xrefs: 0027DDC0
%*+(, xrefs: 0027E143
<Y.[, xrefs: 0027E27D
upH}, xrefs: 0027DE8A, 0027E798, 0027DF4A
-M2O, xrefs: 0027E25A
', xrefs: 0027E9C5
r', xrefs: 0027E92E
Y9N;, xrefs: 0027E245
=]+_, xrefs: 0027E276
,Q?S, xrefs: 0027E26F
hX]N, xrefs: 0027DDC7
)IgK, xrefs: 0027E261
', xrefs: 0027E403, 0027E664, 0027E7BD
{E, xrefs: 0027E323

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: '$%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$r'$upH}${E$'
API String ID: 0-335865536
Opcode ID: 0512c751c9fa051f9c958a589951a0c1da7a3077dfd3946e9fff0a8304e5e22a
Instruction ID: 2c5375f68b6224a0d1c48bc1a2a68c9c5be2a27fa68e787f6a9053c054fa7864
Opcode Fuzzy Hash: 0512c751c9fa051f9c958a589951a0c1da7a3077dfd3946e9fff0a8304e5e22a
Instruction Fuzzy Hash: 99921575E10215CFDB08CF68D84176EBBB2FF4A324F2981A8E455AB391D7359D21CBA0

Function 00429018 Relevance: 12.8, Strings: 9, Instructions: 1576COMMON

Download Yara Rule

Strings

{l, xrefs: 00429AF2
Vsw, xrefs: 00429776
7[?3, xrefs: 004298E0
q_k, xrefs: 004297D0
Am:, xrefs: 004298FB
B?, xrefs: 00429AE3
1&h, xrefs: 00429935
bDs, xrefs: 00429C1D
Ct, xrefs: 00429CA3

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: 1&h$7[?3$Am:$B?$Ct$bDs$q_k$Vsw${l
API String ID: 0-3861904828
Opcode ID: ad5efe20fff9ba27719fb07fa7e10232469e778326db8f890674a38d5fa8e014
Instruction ID: e64ebf99fabd33bda82bac40fca81aeddcb4569b95120e8947491444bc681115
Opcode Fuzzy Hash: ad5efe20fff9ba27719fb07fa7e10232469e778326db8f890674a38d5fa8e014
Instruction Fuzzy Hash: 01B2C5F360C6009FE304AE69EC8577AB7E9EF94720F1A493DEAC5C3740E67598018697

Function 0027098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

&> &, xrefs: 00270F89
cah`, xrefs: 0027107E
%*+(, xrefs: 00270A77, 00270A86
,#15, xrefs: 00270F94
qrqp, xrefs: 00271089
{, xrefs: 00271502
gce/, xrefs: 00271073
9.5^, xrefs: 00270F9F

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 24bf9de572c0b9a36d758517950b2f83678e54912f9d97b8dd1b8df2196f4782
Instruction ID: b41c2c78fcdd982973c6407da1b35c810895d8794db27f0a911d58a231e11515
Opcode Fuzzy Hash: 24bf9de572c0b9a36d758517950b2f83678e54912f9d97b8dd1b8df2196f4782
Instruction Fuzzy Hash: 0C62A8B1618381CBD330CF18D895BABBBE1FF96314F08892DE49A8B641E7719954CB53

Function 00251000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 0025157D, 002515EB
gfff, xrefs: 00252226
gfff, xrefs: 002522E1
-, xrefs: 002521ED
0123456789abcdefxp, xrefs: 00251587, 002515F8
@, xrefs: 00252C40
gfff, xrefs: 00252297

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 6f01571087226fd85aab72d422090a81599527cc4cfd4dbf075f86e2f635802e
Instruction ID: 6c2a22a4495501887d9759dd02cfdb894fb9b24ba0dc712816645c3b7d2fff72
Opcode Fuzzy Hash: 6f01571087226fd85aab72d422090a81599527cc4cfd4dbf075f86e2f635802e
Instruction Fuzzy Hash: 38D214316283428FC718CE28C49436ABBE2AFD9315F18862DE899C7391D774DD5DCB86

Function 0041BB74 Relevance: 10.5, Strings: 7, Instructions: 1709COMMON

Download Yara Rule

Strings

Vqwy, xrefs: 0041C53C
)e%1, xrefs: 0041BC13
@js, xrefs: 0041CFE7
oA'), xrefs: 0041CF26
>Kl^, xrefs: 0041C727
W/Ms, xrefs: 0041C2C0
Jg, xrefs: 0041CA38

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: )e%1$>Kl^$@js$Jg$Vqwy$W/Ms$oA')
API String ID: 0-2387840950
Opcode ID: a34cb7fc78818b4c9aa578379dd4108dce5596a8fad2def001b57c2fb81788ee
Instruction ID: 24c25dfa6b1ec14c6673c4db5977b08effb0f40f59c9e2125ba894780e6a7a99
Opcode Fuzzy Hash: a34cb7fc78818b4c9aa578379dd4108dce5596a8fad2def001b57c2fb81788ee
Instruction Fuzzy Hash: F5B228F360C204AFE7086E2DEC8567ABBE9EF94320F1A493DE6C5C3744E57558018697

Function 0041F1F9 Relevance: 10.3, Strings: 7, Instructions: 1575COMMON

Download Yara Rule

Strings

c~?, xrefs: 00420268
O1+, xrefs: 0041F2BC
G(?n, xrefs: 0041FB72
ax?{, xrefs: 0041FA2E
Av, xrefs: 0041FFCD
v~, xrefs: 0041FE37
?+6, xrefs: 0041F37B

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: ?+6$Av$G(?n$O1+$ax?{$c~?$v~
API String ID: 0-1736403546
Opcode ID: 470c15fa6fbd0cc49d1462c0796882eb064a0dee97879dc6ef2b4814753f9cec
Instruction ID: fe7fd1b2c36331d754a185789bc30216f56bcf2374d5e56e31519c2d4b95036b
Opcode Fuzzy Hash: 470c15fa6fbd0cc49d1462c0796882eb064a0dee97879dc6ef2b4814753f9cec
Instruction Fuzzy Hash: 28B2F7F3A08210AFE304AE2DEC8577AFBE5EF94720F16493DEAC4D3744E63558058696

Function 0042C531 Relevance: 9.0, Strings: 6, Instructions: 1548COMMON

Download Yara Rule

Strings

,Ew, xrefs: 0042C5F9
[D, xrefs: 0042D24C
B[, xrefs: 0042D2D3
$Qg, xrefs: 0042D377
et<, xrefs: 0042C749
o}, xrefs: 0042D77A

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: ,Ew$et<$o}$$Qg$[D$B[
API String ID: 0-3737778749
Opcode ID: 938b7c35501df8443480ea648357a5328291d801823f61d5b37b7f8ef9c42525
Instruction ID: 1f739233db4ebf015b1a90570f925be6438c52194fa3f3e3532e826054035616
Opcode Fuzzy Hash: 938b7c35501df8443480ea648357a5328291d801823f61d5b37b7f8ef9c42525
Instruction Fuzzy Hash: 72B2E4F260C2009FE304AF29EC8567AFBE9EF94720F16893DE6C4C7740E63598058697

Function 002512F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

i, xrefs: 002528EA
@, xrefs: 00253531
0, xrefs: 0025243E
0, xrefs: 00251E88
0, xrefs: 00251DC1

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 3bbec987adfe3c2d731ad5f959ff2a1191f49bbd32186075712e4f530cfc0605
Instruction ID: 317892597eb9230f22c4859f765803d49b7a3acf72a920f071aa2fb6cbd1581d
Opcode Fuzzy Hash: 3bbec987adfe3c2d731ad5f959ff2a1191f49bbd32186075712e4f530cfc0605
Instruction Fuzzy Hash: 5B62F27162C3828BC318CF28C49436ABBE1AFD6305F188A1DE8D987391D374D95DCB86

Function 0025164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 0025164F
gfff, xrefs: 00251F3C
0123456789abcdefxp, xrefs: 00251659
gfff, xrefs: 00251F57
+, xrefs: 00251573

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: e60a31924076d412a5d395d58402a32a1c20de5ee20f095d4d228eeb0c6292b3
Instruction ID: 78f7451931d325b98837c468d99d025ebf92563bfbfd9738ace757c5c6cbf1cb
Opcode Fuzzy Hash: e60a31924076d412a5d395d58402a32a1c20de5ee20f095d4d228eeb0c6292b3
Instruction Fuzzy Hash: 64F1B53161C3828FC715CE28C48436AFBE1ABD9305F188A6DE8D987392D774D95CCB96

Function 00416ACC Relevance: 6.7, Strings: 4, Instructions: 1711COMMON

Download Yara Rule

Strings

cXEA, xrefs: 004179C4
H>y, xrefs: 00417E68
$/-, xrefs: 00416CB5
wh>, xrefs: 004179D3

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: $/-$cXEA$wh>$H>y
API String ID: 0-3169739744
Opcode ID: b1584cdaf7d6ab31a536206621c27065ac6e98a64f5b2f5c964019bd29bf543c
Instruction ID: d42b39606e9f4eebd6f9cdf23808ef07eb9101e695ce4f404a4581e8f66dee52
Opcode Fuzzy Hash: b1584cdaf7d6ab31a536206621c27065ac6e98a64f5b2f5c964019bd29bf543c
Instruction Fuzzy Hash: 50B26CF360C204AFE304AE2DEC8567AB7EAEFD4720F1A853DE6C5C3744E93558058692

Function 0041D71C Relevance: 6.7, Strings: 4, Instructions: 1663COMMON

Download Yara Rule

Strings

mj, xrefs: 0041E720
3w], xrefs: 0041D786
Fa};, xrefs: 0041DB09
/J_o, xrefs: 0041E9F2

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: /J_o$3w]$Fa};$mj
API String ID: 0-4077560084
Opcode ID: b33eceda65f5460d308a8c4291a18b78e05a4ebee6b2573079defd06ec741ffd
Instruction ID: 13ed2bf35712b2684c3ec4d338d46d3777907da839e691271a07e25fd52bb9b0
Opcode Fuzzy Hash: b33eceda65f5460d308a8c4291a18b78e05a4ebee6b2573079defd06ec741ffd
Instruction Fuzzy Hash: B1B216F3A0C2049FE304AE2DEC8567AFBE9EF94720F1A453DE6C5C3744E97598018696

Function 002513A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 002513A3
gfff, xrefs: 00251F3C
-, xrefs: 00251F23
0123456789abcdefxp, xrefs: 002513AD
gfff, xrefs: 00251F57

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 625309fde7996ad853fdc31fc87c7ce855fa5d8fcc1e2f2f2b3cf48bd51793c7
Instruction ID: 6187aa83493af61fb5179e5557d06bab6ef93e4b0130d06064d50ffdb60a02e1
Opcode Fuzzy Hash: 625309fde7996ad853fdc31fc87c7ce855fa5d8fcc1e2f2f2b3cf48bd51793c7
Instruction Fuzzy Hash: C8D1B13561C7828FC715CE29C48036AFBE2AFD9305F08CA6DE8D987392D234D959CB52

Function 00424098 Relevance: 6.6, Strings: 4, Instructions: 1633COMMON

Download Yara Rule

Strings

={K, xrefs: 00424A38
F$kI, xrefs: 004247D8
n~S, xrefs: 0042509F
&{, xrefs: 00424195

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: &{$F$kI$n~S$={K
API String ID: 0-2977608098
Opcode ID: da26ece54ed0651c8c62f7b67843fd33800aaac605f044a164033a63de37d317
Instruction ID: 93ae699f13f45d0b3fe7752e4a61bb368900b14074cdf5a9e74fc10a8e8eab2e
Opcode Fuzzy Hash: da26ece54ed0651c8c62f7b67843fd33800aaac605f044a164033a63de37d317
Instruction Fuzzy Hash: 18B217F360C2049FE304AF29EC8567ABBE9EFD4720F16892DE5C4C3744EA3598458796

Function 00272260 Relevance: 6.6, Strings: 5, Instructions: 383COMMON

Download Yara Rule

Strings

hu, xrefs: 0027232F
a|, xrefs: 00272317
lc, xrefs: 00272507
b&', xrefs: 0027265C
sj, xrefs: 00272327

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: a|$b&'$hu$lc$sj
API String ID: 0-1720278627
Opcode ID: 0ef3b41793695afe8e94652d937e0c7a0128bf28ae4f2dee03d9dfe4436b7199
Instruction ID: f413dfe15d691e8a4515016ebb8e5ea9d01181b21056e67df3ed9fec5434d6ac
Opcode Fuzzy Hash: 0ef3b41793695afe8e94652d937e0c7a0128bf28ae4f2dee03d9dfe4436b7199
Instruction Fuzzy Hash: A8A1AC70428341CBC720DF18C891A2BB7F4FF96354F549A0CE8D99B291E339D959CB96

Function 0041350D Relevance: 6.6, Strings: 4, Instructions: 1562COMMON

Download Yara Rule

Strings

Cr~, xrefs: 004145E5
2G>>, xrefs: 004143BF
.M|, xrefs: 004144F9
2G>>, xrefs: 004143FA

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: .M|$2G>>$2G>>$Cr~
API String ID: 0-154707369
Opcode ID: 592080e5fcd9402aaec89e1527829fe2b499006666e26c579f92a020967fb7ec
Instruction ID: 8f232bb510557f4090e3d343fa64bcdd7de0fa7c97fbf4afeaad1a268178954d
Opcode Fuzzy Hash: 592080e5fcd9402aaec89e1527829fe2b499006666e26c579f92a020967fb7ec
Instruction Fuzzy Hash: 5EB2F4F360C2049FE304AE29EC8566ABBE9EF94720F16493DEAC4C7744E63598058797

Function 00427BBD Relevance: 6.1, Strings: 4, Instructions: 1072COMMON

Download Yara Rule

Strings

QJY, xrefs: 004282B7
bOZ?, xrefs: 0042884B
a#oO, xrefs: 00428605
q{N, xrefs: 0042846F

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: QJY$a#oO$bOZ?$q{N
API String ID: 0-3828173543
Opcode ID: 8f4ee3aa894d97ea0a07b40eaf229fdb0b4cd67deaf1ba204832c7ce6f7a2a53
Instruction ID: a51f814e1fda1a17ed5ec46cba7afd3e5813f2a439369558436bc2fc2d77a99a
Opcode Fuzzy Hash: 8f4ee3aa894d97ea0a07b40eaf229fdb0b4cd67deaf1ba204832c7ce6f7a2a53
Instruction Fuzzy Hash: E172C4F3A082049FE304AE29EC8567AFBE5EFD4720F16892DE6C5C3744EA3158458797

Function 0027FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

m1s3, xrefs: 0027FEC3, 0027FECB
:, xrefs: 00280087
NA_I, xrefs: 0028036D
uvw, xrefs: 0027FE95

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 1b5c4b94f98e605b9c56af0bd9538a782f7d7ddf1220da0552dd0dcb6cc5e51e
Instruction ID: 3c6aa29d613be3b6edd0085a6e49a49118f64008981ac28bcd50a20ebed6914a
Opcode Fuzzy Hash: 1b5c4b94f98e605b9c56af0bd9538a782f7d7ddf1220da0552dd0dcb6cc5e51e
Instruction Fuzzy Hash: B732BBB4529381DFD310EF28D884B2ABBE5BB8A310F14495CF5D48B2A2D735D929CF52

Function 00263BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

p, xrefs: 00263C80
;z, xrefs: 00263C87
%*+(, xrefs: 00263EC4
ss, xrefs: 00263C79

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 23d14116cfa3dce7953ff0dd76f62a544b1dbe26e1540218a53ab36ab3f14451
Instruction ID: 4e6f84b06b1dae63e21d603c2f1b860d90eb9995dd4d23a71954295aafecd23c
Opcode Fuzzy Hash: 23d14116cfa3dce7953ff0dd76f62a544b1dbe26e1540218a53ab36ab3f14451
Instruction Fuzzy Hash: A4025CB48207009FD760EF24D986756BFF4FB06301F50495DE89A9B656E331E468CFA2

Function 00420C74 Relevance: 5.3, Strings: 3, Instructions: 1545COMMON

Download Yara Rule

Strings

mgN, xrefs: 0042156E
Ik?, xrefs: 004217CD
cc|, xrefs: 004216DD

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: Ik?$cc|$mgN
API String ID: 0-2757068315
Opcode ID: 640f178318e35778b9d93ba13363dc7e9df77f9e1147d8748462025192ceaad7
Instruction ID: 24c9a82c316a59ef7f035889e1cff3ea9778c76c53efc75780f1eba119f01783
Opcode Fuzzy Hash: 640f178318e35778b9d93ba13363dc7e9df77f9e1147d8748462025192ceaad7
Instruction Fuzzy Hash: B5A2D2F360C2049FE708AE29EC8577AFBE9EF94320F16493DE6C583740EA7558408697

Function 0027D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 0027D9EA
KV, xrefs: 0027D97D
CV, xrefs: 0027D98B
T>, xrefs: 0027D984

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 7d8e69006abb1fe6b540af67970efab6a9897ab72ab71e89399deddf6ab10235
Instruction ID: bcc5ff4a916315593aa74b2eb1b5c25e185dc81690b943784cb2923c1216d361
Opcode Fuzzy Hash: 7d8e69006abb1fe6b540af67970efab6a9897ab72ab71e89399deddf6ab10235
Instruction Fuzzy Hash: F58145B48117459BCB20DFA5D28516EBFB1BF12300F609608E4867BA55C330AA65CFE2

Function 0027AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 0027AD07, 0027AD13
lk, xrefs: 0027ACBC
(g6e, xrefs: 0027ACA1
4c2a, xrefs: 0027ACA9

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 0dfffe8cac8ce477ff269a08e95ee483ec456e5c8b0c8f3afcaffaf2b6ecda54
Instruction ID: 4de01da2d4025d3eb72313f4fb1694d1dce05941bdfda12928b5c841b531c0b3
Opcode Fuzzy Hash: 0dfffe8cac8ce477ff269a08e95ee483ec456e5c8b0c8f3afcaffaf2b6ecda54
Instruction Fuzzy Hash: 2A4194B4418382CBD7209F20E904BABB7F4FF86305F54995DE9C897260EB32D954CB96

Function 0027C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0027C9E4, 0027C9ED
%*+(, xrefs: 0027C8C3, 0027C8CB
~/i!, xrefs: 0027C537

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: dd08bad26c0be345c530b56f6a87dce4012b330bfd2b53ebe6fb9854c2f4c568
Instruction ID: 3623b61986bff33182c182b95488bbc2fef29afc90f630060cf7e0b38bfc76e1
Opcode Fuzzy Hash: dd08bad26c0be345c530b56f6a87dce4012b330bfd2b53ebe6fb9854c2f4c568
Instruction Fuzzy Hash: 86E1ABB5528340DFE7209F64E885B1BBBF9FB86350F58882CE68987251DB31D824CF52

Function 00258590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 0025860C
), xrefs: 00258616
IEND, xrefs: 002589F0

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 52c97f2467f923ffad8278fd6d6321a577c5963328156c2a9a0c63e3348be6d0
Instruction ID: 0780a2bfb669f79b851dfd6f4a9c6c76d28f4aaf8434b0ba352f1272280d59f7
Opcode Fuzzy Hash: 52c97f2467f923ffad8278fd6d6321a577c5963328156c2a9a0c63e3348be6d0
Instruction Fuzzy Hash: 0FE1F571A183029FD310CF28D84572ABBE4BF94315F14492DF995A7381EBB5E928CBC6

Function 0042AA74 Relevance: 4.1, Strings: 2, Instructions: 1623COMMON

Download Yara Rule

Strings

k{{[, xrefs: 0042B73F
02@r, xrefs: 0042AC7A

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: 02@r$k{{[
API String ID: 0-3179352057
Opcode ID: e99a5c41b9035a5f98cefde5cb20757782cf5ff66ef120a5bae4b13777f19c63
Instruction ID: 45da80a2e7c0edb8edad04319882948599330b38f0a96705794b623e9591452a
Opcode Fuzzy Hash: e99a5c41b9035a5f98cefde5cb20757782cf5ff66ef120a5bae4b13777f19c63
Instruction Fuzzy Hash: 2EB23AF360C6009FE304AE2DEC8577ABBEAEF94320F1A853DEAC5C7744E53558058696

Function 004225FD Relevance: 4.1, Strings: 2, Instructions: 1575COMMON

Download Yara Rule

Strings

$cxd, xrefs: 0042366F
0J7, xrefs: 00423340

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: $cxd$0J7
API String ID: 0-4241226293
Opcode ID: 2ece545e0f2b34994ec515d5d4897cfa8241e908f6688587639b1db3a6c15912
Instruction ID: 6d5f067609c86aeb4f80531bf86f6e8d67150df36dec30b27ca138e53b34311e
Opcode Fuzzy Hash: 2ece545e0f2b34994ec515d5d4897cfa8241e908f6688587639b1db3a6c15912
Instruction Fuzzy Hash: 94B2E5F3A082009FE304AE2DDC8567AFBE9EF94320F16493DEAC4C7744EA3558458796

Function 00294040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 002940A4, 002940AD
f, xrefs: 0029420C

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: f8e4760bfb226429907fbeab252b7936fe5c5c785bfa6e1b31d3f2b7d3b64945
Instruction ID: 426a3e36c6f9c801b0f63a628f2ca2d74082b47958256acf2c3ba615b2ae2f5b
Opcode Fuzzy Hash: f8e4760bfb226429907fbeab252b7936fe5c5c785bfa6e1b31d3f2b7d3b64945
Instruction Fuzzy Hash: 3C12BD716183418FCB14DF18C880F2EBBE5FB89318F588A2CF4989B291D731D956CB92

Function 0028F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 0028F7F5
hi, xrefs: 0028F6E6

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 518d5a42d3ef30ebd35a4289826995647698049dca72719c2bebb49ad6455406
Instruction ID: 1d5f2960c066121305c603732fd6388d060d3efd946504108c42716c4a8a6db3
Opcode Fuzzy Hash: 518d5a42d3ef30ebd35a4289826995647698049dca72719c2bebb49ad6455406
Instruction Fuzzy Hash: 34F19575628341EFE704DF28D895B2ABBF6FB86344F14892CF1958B2A1C734D859CB12

Function 002535B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 0025360E
Inf, xrefs: 00253607

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 19b1fce15189ca96cd364ffca2ea8d36f76c1b1d35774f8dc3605010d47a7d65
Instruction ID: f39f4f40f15991c4694e795aaa7e469c5528527d592a9b5f93dfad3597f3f767
Opcode Fuzzy Hash: 19b1fce15189ca96cd364ffca2ea8d36f76c1b1d35774f8dc3605010d47a7d65
Instruction Fuzzy Hash: 85D1E8B1A283129BC704CF28C98061EF7E5FBC8791F25892DFD9997390E671DD188B85

Function 0026FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00270197
Ye[g, xrefs: 002700F6

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 98cf6f9c647ebb1be50825070f4c39e7dbaece5f032b1868485ef8a1e3b06aaa
Instruction ID: 716753eca02be3811aa926ced2989a699ef94c20da46baa4ec7f4cfefa09415d
Opcode Fuzzy Hash: 98cf6f9c647ebb1be50825070f4c39e7dbaece5f032b1868485ef8a1e3b06aaa
Instruction Fuzzy Hash: 5A519CB1628381CAD331CF14C481BABB7E4FF96320F19891DE49D8B651E3749958CB56

Function 00255160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 002554C8

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: d35cd5ad433c0675f024d9eb57351c91d90336a5470021489b334182f6c966ee
Instruction ID: 3c85541bbceeab349bf0f9f9f30aed297bd6bac4ae9724d90cbddf1f39cadd10
Opcode Fuzzy Hash: d35cd5ad433c0675f024d9eb57351c91d90336a5470021489b334182f6c966ee
Instruction Fuzzy Hash: D82226B1528B62CBE7158E18C460326FBA2AFE0316F1C856DDC594B341E7B1DC6CC749

Function 002812D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 002815D1

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: c2b75dc05fae34bb7b78bd09b2abc21b3e698127a416cdcc00b7deb98ac99870
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: DDF15879A193424FC724DE24C48162BBBE9AFC1350F18C95DE889873C2D734DC26CB91

Function 0027AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0027B2D3, 0027B2DB

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 443482dc460fc1b5cb271628b5c86655df691806438b49d6249a153ed556c812
Instruction ID: ee925c4a83bed844f0db778d7d8b095c18205dae23a7a49489065a504639a3c6
Opcode Fuzzy Hash: 443482dc460fc1b5cb271628b5c86655df691806438b49d6249a153ed556c812
Instruction Fuzzy Hash: 42E1BD71528306CBC715DF28D89066FB3E2FF99791F54891CE8C987260E731E9A5CB82

Function 00266EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00266EF3

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a2fec73d970d32cc337a08acc390513b785815c7f7e9f4c5388526fedc06d9cb
Instruction ID: c02b6ce4105e490a64a1993f077ca837f1aded7a26ab30337cd9c6d56be01538
Opcode Fuzzy Hash: a2fec73d970d32cc337a08acc390513b785815c7f7e9f4c5388526fedc06d9cb
Instruction Fuzzy Hash: 60F1A075620B01CFC724DF24E985A26B7F6FF48315B24892EE49787A91EB31F865CB40

Function 00277E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00278263, 0027826B

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5c62ea71b70d4b4e47221062958fa44e48a9979b9a5bfd49b046ac4a87be90db
Instruction ID: 1836ef7ad3a3f511150bc88311cc0b0ad8870fb60ea761e97ca4abc6e0f877f9
Opcode Fuzzy Hash: 5c62ea71b70d4b4e47221062958fa44e48a9979b9a5bfd49b046ac4a87be90db
Instruction Fuzzy Hash: F5C1CD71528301ABD710AF14C886A2BB7F5EF95754F48881CF8C99B252E734EC25CBA3

Function 00278D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00279233, 0027923B

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b3fbe2e77095bf86fe0a1ec98b1c52fb467fed03b8d3ea4680215f24784efc81
Instruction ID: 3ea56156cf2b288728d90342d8f925870dd9d9e2700329428fb51f17bd12acae
Opcode Fuzzy Hash: b3fbe2e77095bf86fe0a1ec98b1c52fb467fed03b8d3ea4680215f24784efc81
Instruction Fuzzy Hash: A7D1E171628702DFD704DF68EC94A2AB7E5FF8A304F49886CE886D7251DB31E860CB51

Function 00264487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

BI&, xrefs: 0026485E

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: BI&
API String ID: 0-2146038029
Opcode ID: 5431d553123cb36653d8ebbafc29e1a5637ecc65b5d9692b57d2d56ffb17f12c
Instruction ID: be0089860a9511e9dc1a2e3078cae32a2c9b33db3237eed4f3e0e10b86686ed9
Opcode Fuzzy Hash: 5431d553123cb36653d8ebbafc29e1a5637ecc65b5d9692b57d2d56ffb17f12c
Instruction Fuzzy Hash: 25E110B5510B008FD361DF28E9A6B97B7E1FF06709F04886DE4EAC7652E731A8648B14

Function 00297FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00298167

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 9910955681f215a3d435c8e2acb7c2227cfdb751bb0fc4b4d36b11cbd88e96ed
Instruction ID: 9d577a64c1d2c4ffc39cdcaa9b729805c6c09d20318c6fc6a3f4f3b689bd2463
Opcode Fuzzy Hash: 9910955681f215a3d435c8e2acb7c2227cfdb751bb0fc4b4d36b11cbd88e96ed
Instruction Fuzzy Hash: CBD1F5729182714FCB25CE18D89072FB7E1EB85718F5A862CE8A5AB390CB71DC16C7C1

Function 00296CBF Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"p), xrefs: 00297015

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: "p)
API String ID: 0-2835720710
Opcode ID: ea44162bf7b3c9597d2d8465830b8df131576694ad61f4fd2e64a15d39e3a597
Instruction ID: 306776fd98bcfb0c3f4fec3e4411101d4b97b88ac1df4ed937fe88defc456b7c
Opcode Fuzzy Hash: ea44162bf7b3c9597d2d8465830b8df131576694ad61f4fd2e64a15d39e3a597
Instruction Fuzzy Hash: A2D1F336618351CFCB14CF38E88452AF7E2BB8A314F098A6DE895D73A1D734DA54CB91

Function 0027CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0027CDC3, 0027CDCB

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: dae99396ffc0e19d918ee36c35767ada29c47da36aee38ab481e1d7318bfd964
Instruction ID: 71ee10bee99bed71783f3041fe477e7a28fa13ec313e6b4812079f1477fcde7b
Opcode Fuzzy Hash: dae99396ffc0e19d918ee36c35767ada29c47da36aee38ab481e1d7318bfd964
Instruction Fuzzy Hash: 03B1F0706293028BD714DF24D880B2BFBF6EF95350F24892DE5C99B251E335E865CB92

Function 0025A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0025A9C3

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: e6f217a32eea126b8665ced91207c973676ad60e44ad1d5437fd81765e65f6f7
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 86B118712083819FD325CF18C88161BBBE1AFA9704F448A2DF5D997742D671EA18CBA7

Function 0028FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0028FCA4, 0028FCAD

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 643afce8c3516f79e25de6abdef05e50d9be51f9d09d944c84d4bbf8d8c26cc3
Instruction ID: 2bd740eaf543030ca3254b077c63cef2fad12fb4381962eb4899e5d35a1eb7b1
Opcode Fuzzy Hash: 643afce8c3516f79e25de6abdef05e50d9be51f9d09d944c84d4bbf8d8c26cc3
Instruction Fuzzy Hash: 0181BF75129301EFD710EF58ED84B2AB7E5FB99705F14882CF68497292E730E924CB62

Function 0026D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0026D663, 0026D66B

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: bc42c7df1e072258ffaca2e2f7d79b855e12dbae62a96391d4b3826c93f02524
Instruction ID: af0694d75b78e66d9ec7a9bf9642705e90bc43783cce7271293eb3a049e4df93
Opcode Fuzzy Hash: bc42c7df1e072258ffaca2e2f7d79b855e12dbae62a96391d4b3826c93f02524
Instruction Fuzzy Hash: CB61F471A24305DBD710EF18EC82A7AB3B4FF95354F48082CF98A87251E731E964CB92

Function 003DF7DC Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

f]}, xrefs: 003DF83B

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: f]}
API String ID: 0-2418897833
Opcode ID: 10a793d40771f468a871eec827cc0fb52a648bbc2d20d02f5f0b21a40ac5d481
Instruction ID: 01b681350be34a1a3ea72f2689f5e66f34b5255c55d6d55e7063a8963007b801
Opcode Fuzzy Hash: 10a793d40771f468a871eec827cc0fb52a648bbc2d20d02f5f0b21a40ac5d481
Instruction Fuzzy Hash: 287147F3A083085FE314AE6DEC8576AB7E4EF80720F16463DE6C4C7784E57998458686

Function 00294A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00294C33, 00294C3B

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 838e3a9218107d351272bb6f9a88a93d0fb3437ff6906317ac0391a274e27d04
Instruction ID: e0e928822f601b579498740c18e9d1809048f7070cd83626416cf39d24d8b851
Opcode Fuzzy Hash: 838e3a9218107d351272bb6f9a88a93d0fb3437ff6906317ac0391a274e27d04
Instruction Fuzzy Hash: B061FF71A283029FDB10EF15D890F2AF7E6EB85318F18891DE58487291D771EC22CB52

Function 002CBA5E Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

rX=, xrefs: 002CBB0F

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: rX=
API String ID: 0-3059154372
Opcode ID: 6512df9ef6d52ca0db46ca201f5c2805cc76e30cc3ff4ffd7ace05bb153b1d3c
Instruction ID: 8caef593f22319238d4e9d264a52239bbf42a188aa26faa3efab9ff0134d4c7a
Opcode Fuzzy Hash: 6512df9ef6d52ca0db46ca201f5c2805cc76e30cc3ff4ffd7ace05bb153b1d3c
Instruction Fuzzy Hash: C35116F3E08304ABF3006A6DECC5767FBD9EB94710F1A463CDA98D3380E57999044296

Function 0025E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0025E333

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: a07ec58563123b4b2d4fe3003fcbda7ded567139994973a6caf281fcf01e8c05
Instruction ID: ed4ccd341af3c39b49e0e08a3ffd0ce65c2a5e81d667cbaab0e01a43e2e0f688
Opcode Fuzzy Hash: a07ec58563123b4b2d4fe3003fcbda7ded567139994973a6caf281fcf01e8c05
Instruction Fuzzy Hash: 40513723A3D6904BD72C993C5C553A96A870B92334F3FC3AAEDB5CB3E8D56549184380

Function 00293920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 002939E3, 002939EB

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0feb69687b9eebb8c46d42037dc1c4c2711114545a8c436eede7cc30ff229a26
Instruction ID: 483d42107b7f27e85c7bece5b72bd471aac3dc296eeed64b9eab8fa20c284b2f
Opcode Fuzzy Hash: 0feb69687b9eebb8c46d42037dc1c4c2711114545a8c436eede7cc30ff229a26
Instruction Fuzzy Hash: 7C518C346292019BDF24DF19D884A2AFBE6FB86744F18882CE4C697251D771DE20CB62

Function 0052E058 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

EI~, xrefs: 0052DF6F

Memory Dump Source

Source File: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: EI~
API String ID: 0-494691529
Opcode ID: 129ec1dc99713502d817b0e447b63e0a609651e33a00f21820921989c5b2a321
Instruction ID: 757122cbc8d107ad0156e7e40c1a94304404f281d584cfb109d810b65973ecc1
Opcode Fuzzy Hash: 129ec1dc99713502d817b0e447b63e0a609651e33a00f21820921989c5b2a321
Instruction Fuzzy Hash: C94159B341C3288BD3083A28ED4A27ABBE4FF45320F354A3DDAD2873C4EA7455419697

Function 00261BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00261C3E

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 1084abdec0e2e1005174011f5317b5ce9c83bfa34f00c509e4e4a35d15d579a4
Instruction ID: a161fb2f008a3ff5872acb490cb7aa2e6a613f73bb2b6eed38fd4e4efd668cb3
Opcode Fuzzy Hash: 1084abdec0e2e1005174011f5317b5ce9c83bfa34f00c509e4e4a35d15d579a4
Instruction Fuzzy Hash: 194162B40183819BC714AF24D894A2FBBF0BF86354F08890DF5C59B290D736D965CB57

Function 0028FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00290033, 0029003B

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5318fac5682d2e36d26cfbf0c015b5aaa357645484068ee327bcd76114ab286e
Instruction ID: 25b362dcadb2500e5b264895b9ee18d156e39dc968d87e9e6aa315f5f9600d3e
Opcode Fuzzy Hash: 5318fac5682d2e36d26cfbf0c015b5aaa357645484068ee327bcd76114ab286e
Instruction Fuzzy Hash: FC31F6B5928319AFDE10EE14DC81F2BB7E8EB85744F544828F88597252E231DC34CBA3

Function 0027E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0027E6A2

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: cabcaa5e82b36cc74cff461af1fc02aa06a66412302626106e2f0cfea81fe772
Instruction ID: b8a5b49f68522d7566cb4e01e05ab5e89f517c5e6d366b13d4672df800f9587e
Opcode Fuzzy Hash: cabcaa5e82b36cc74cff461af1fc02aa06a66412302626106e2f0cfea81fe772
Instruction Fuzzy Hash: 7431E4B5910306CFCB24DF95E8805AFFBB4FB1A345F144868E44AAB341D731A925CBA2

Function 00266F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0026703B

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 146de75fb00d9ebe172b604b55677fb2c24b7666ea3c93f66c251abab6b8ce87
Instruction ID: 8e520b4a7c349f825531000bbff5d4e6d9b286eb7981f78c45ad96cfb2adbe81
Opcode Fuzzy Hash: 146de75fb00d9ebe172b604b55677fb2c24b7666ea3c93f66c251abab6b8ce87
Instruction Fuzzy Hash: A2416C71224B15DFD7358F61E994B27B7F2FB09704F24881CE58697A61E731F8608B20

Function 0027E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0027E6A2

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 1e412eb720461c009e154dbd18ec82ca0fc16289d2f32954b27acf42e8cca4e7
Instruction ID: 0d5340404bfcb4ab5345d59809ade554fbc7f16332c7b23b3970bffd109e46ce
Opcode Fuzzy Hash: 1e412eb720461c009e154dbd18ec82ca0fc16289d2f32954b27acf42e8cca4e7
Instruction Fuzzy Hash: 7B2102B5910306CFCB24CF95E88096FFBB4BB1A305F14485CE44AAB341D331AD24CBA2

Function 00299CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00299D30

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: e4f40c1289e0759767346729c546bd5a002c67b28bd963fbe1cde741c0d552a8
Instruction ID: 1194544f1adcf98b41aaf05aef6ca57624c118d75b056090daa1dd9af61804f3
Opcode Fuzzy Hash: e4f40c1289e0759767346729c546bd5a002c67b28bd963fbe1cde741c0d552a8
Instruction Fuzzy Hash: CB3189705193019BDB10EF19D880A2BFBF9FF9A324F14892CE5C897251D335D954CBA6

Function 00264E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05801050f41f56937b061e86fa2f2ccc8921dd7f3ced424ab91f8b764fccd8f
Instruction ID: e7527ecb0970b771b41243dd4a034531a4c94cec5134ceddf9fc90f1c35bd6e7
Opcode Fuzzy Hash: d05801050f41f56937b061e86fa2f2ccc8921dd7f3ced424ab91f8b764fccd8f
Instruction Fuzzy Hash: DC6279B0520B418FD725CF24D990B27B7F5AF4A704F54896DD49B8BA52E730F8A8CB90

Function 0025BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 7b53569b82a6583510b0f5b5ffeca2218a7264792d39725311e8c279c1503fd7
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: B552D6315287128FC7259F18D4402BAB3E1FFD531AF254A2DDDC697280F774A869CB8A

Function 00298652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9801feeb8997baa0d209c4d1cfd9cb3befa882decde98d6e1e2bded77e967458
Instruction ID: c4b44603b2cee0662ffb851df6b14b9cda82aab9c21d2f33cbeaa83ecdbb610c
Opcode Fuzzy Hash: 9801feeb8997baa0d209c4d1cfd9cb3befa882decde98d6e1e2bded77e967458
Instruction Fuzzy Hash: FD22DE35618341CFCB04EF68E89462AF7E1FF8A315F09886DE98987351CB71D9A0CB42

Function 002986F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e981f6db85a60f02704da4eee2e0faa4be0065a39079fa2a572e735aab863c23
Instruction ID: fc49d652b8c385ce24efb2e8da8eeda6de276b38923a310424fd27f4f86f3453
Opcode Fuzzy Hash: e981f6db85a60f02704da4eee2e0faa4be0065a39079fa2a572e735aab863c23
Instruction Fuzzy Hash: A522CC35618341DFCB04EF68E89461AFBE1FF8A315F19896DE48987351CB71E860CB82

Function 0025B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5de1a1b857d15d14ae792f758994e3f904a4b650e8ea94f1ace35e7f7704b2
Instruction ID: 8c1b70c18a5782c74044a2865699f013e45f67fcee6e702be7a2435a4076a145
Opcode Fuzzy Hash: 5d5de1a1b857d15d14ae792f758994e3f904a4b650e8ea94f1ace35e7f7704b2
Instruction Fuzzy Hash: 7852D570918B858FE736CF34C0843A7BBE2AF95315F144C2DC9D606B82D779A899CB49

Function 002571F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9487c1caabbd9bd20edfa0c72cce575d100be50833caf7648c0e23baca34b60
Instruction ID: d7af3412aba89a8907cf2d514ce33ba967215378b85b85ce7467b6f0c480ebbb
Opcode Fuzzy Hash: c9487c1caabbd9bd20edfa0c72cce575d100be50833caf7648c0e23baca34b60
Instruction Fuzzy Hash: F952F13151C3468FCB15CF28D0806AABBE1BF88315F188A6DFC999B341D774E999CB85

Function 00258FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c560b0dc67f5ec76cbbbaee390e807cadb5bcc7d9149692328b3553403ae49ae
Instruction ID: b9f53d52b0fd702b87d4a298ee741a3297f4c68d3729e207d89e40d28b3708df
Opcode Fuzzy Hash: c560b0dc67f5ec76cbbbaee390e807cadb5bcc7d9149692328b3553403ae49ae
Instruction Fuzzy Hash: 6C427775618301DFDB04CF28E85476ABBE1BF88315F0A886DE8858B391D735D999CF82

Function 00257BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a25257dce31c90ef05aebaeb4c04460b508aa973f4fc6cb504cd472f040cf2d
Instruction ID: c77446c7ca15c2010c9a7f0525d809e3dc8ab39a237a7516e2aa87eef0e438af
Opcode Fuzzy Hash: 9a25257dce31c90ef05aebaeb4c04460b508aa973f4fc6cb504cd472f040cf2d
Instruction Fuzzy Hash: 1C324370524B118FC328CF29C59062ABBF1BF45711B604A2EDA9797F90D7B2F859CB18

Function 002989A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7933429b9e2fa1a32ced913c2890a1b711b05f8164d6c811f0c1e8a65913f9
Instruction ID: 84fcaed9c9752686aef2d92c288898272cd8ae2813367bbb0c9aadcc5347adf0
Opcode Fuzzy Hash: 7d7933429b9e2fa1a32ced913c2890a1b711b05f8164d6c811f0c1e8a65913f9
Instruction Fuzzy Hash: 9902BB34618341DFCB04EF68E88461AFBE5EF8A315F19896DE4C987361C775D860CB92

Function 00298A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67610506ec5934ae5225b3c1bb1d2deff91fc7f95457cac10307c7c999030fd2
Instruction ID: e62f4d18d88112dc31fdbd302f13f01a92669b204dbbcd6db3446fe26f2bea72
Opcode Fuzzy Hash: 67610506ec5934ae5225b3c1bb1d2deff91fc7f95457cac10307c7c999030fd2
Instruction Fuzzy Hash: 01F1A83061C341DFCB04EF28E88461EFBE5EB8A315F18896DE8C987251C776D960CB92

Function 00298C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2a325dc4ef8999694d346abb175bcd29914d5638f2c61222ac6799b97f7ea5
Instruction ID: 52621285493a02d5a89483598d7df898d39c3187fcbe3993550e14471c42d26e
Opcode Fuzzy Hash: ca2a325dc4ef8999694d346abb175bcd29914d5638f2c61222ac6799b97f7ea5
Instruction Fuzzy Hash: 0DE1DF31618341CFC704EF2CE88462AF7E5EB8A315F19896CE8D987351D776E860CB92

Function 0025A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 9b01c3dc815cf97786313a6ef62368c00bde6138208704edd736f28a19ec68c8
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: F4F1CD766083418FC724CF29C88176BFBE6AFD8300F08892DE8C587751E639E959CB56

Function 00298E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1d3dc57129738cc562e0c787418e17758fe7f958f17e5740875a9aa9988e4f
Instruction ID: 91d282ae2d9b6ee2609926264be7cf73d9e1e64da257a301fa9ae5d8e4c23081
Opcode Fuzzy Hash: 2f1d3dc57129738cc562e0c787418e17758fe7f958f17e5740875a9aa9988e4f
Instruction Fuzzy Hash: 7DD1BB3061C381DFDB04EF28E88462EFBE5EB8A315F18896DE4C587251D736D860CB92

Function 00297AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1320896ceffb48a8445f72b5b38b068ae95b2b26a25aa7db5e7e6aacd8d20866
Instruction ID: bd565e3abc3318d5770b454ce83a5739e9a364aac10ad21a42ce596089bc500f
Opcode Fuzzy Hash: 1320896ceffb48a8445f72b5b38b068ae95b2b26a25aa7db5e7e6aacd8d20866
Instruction Fuzzy Hash: C4B10472A2C3504BEB24DE28CC4576BB7E9AFC5314F08492DF99997381EB35DC148B92

Function 0025AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 8e7515cd5889f6ad4f45051fa42585503c45f72ae2b15d69efbc7eece7d40c8e
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 95C18DB2A187418FC370CF28DC967ABB7E1BF85318F08492DD5D9C6242E778A159CB46

Function 00266536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8bd742736d652374bcb6bca6a4d110b2ea9bef196a9ff11c7612e1cf50385e
Instruction ID: 19b25f0cfedf18dccd16df50a79c3cc3706a01b5ff93dced044ff9f266da01d8
Opcode Fuzzy Hash: dc8bd742736d652374bcb6bca6a4d110b2ea9bef196a9ff11c7612e1cf50385e
Instruction Fuzzy Hash: 61B12FB4610B408FC321DF24C985B27BBF6EF46704F54885DE8AA8BA52E335F855CB94

Function 00297710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f558f5291fa03822869b0f5d349a8bcfce830c065a685dc0babcdc26633939e8
Instruction ID: 338f429b754e213fd5111ec9c2ccd8a585f1002cd111760cb9c523779df20339
Opcode Fuzzy Hash: f558f5291fa03822869b0f5d349a8bcfce830c065a685dc0babcdc26633939e8
Instruction Fuzzy Hash: BE917A71A28311ABEB20DF14DC45BAFB7E5EB85354F54481CF98897392E730E960CB92

Function 0029A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2ac9775cebf3a1408d2310cf4127ba36c35ee4ade1ae78fdfd4d69a501cd64
Instruction ID: b2566ce6bc04bf86ade66155495e1c6aedfe6db2ff0f13e1b7831911eca2a272
Opcode Fuzzy Hash: 0b2ac9775cebf3a1408d2310cf4127ba36c35ee4ade1ae78fdfd4d69a501cd64
Instruction Fuzzy Hash: 82817E346187028BDB24DF28D890A2FB7E5FF89740F55896CE98587261E731EC60CB92

Function 0036BDB1 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070ecc798e751dfe3d8582d9f69ed364b35bd6039db6b8edb5fc53189952ba8c
Instruction ID: 6de108cceb408e5c327139853586c83ff381cd16a0967ddb7ea4535ed71632fb
Opcode Fuzzy Hash: 070ecc798e751dfe3d8582d9f69ed364b35bd6039db6b8edb5fc53189952ba8c
Instruction Fuzzy Hash: 09716AF3E182245BE7046A2DDC8537ABBD5DB94320F2B853DDEC8A7780E9395C0482D6

Function 002864F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a938034fff166fd102a9b636026d6bdc904b9e728440c58acc1ee40220ceef7b
Instruction ID: 168305dd4c71276363aeb2e628defaea28b9e764269e903b6982389a5d8d1d65
Opcode Fuzzy Hash: a938034fff166fd102a9b636026d6bdc904b9e728440c58acc1ee40220ceef7b
Instruction Fuzzy Hash: CA711737B3AA904BC314AD7C5C4A395BA435BD6334B3EC379A9B48B3E5D5694C264380

Function 002728E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571eb7cfc7ed1983b60d15468840660c2b06aff71de294438cc26162bcb9846c
Instruction ID: 4479dc7b1980d3662aa877c551a6c3a7951bf1faaf9cdf178a344092ceb230a2
Opcode Fuzzy Hash: 571eb7cfc7ed1983b60d15468840660c2b06aff71de294438cc26162bcb9846c
Instruction Fuzzy Hash: A8618A74428351CBD310AF14D841A2BBBF4EF92755F14891CF8C99B261E33AC924CB67

Function 00277C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a45411818a0b4ee6680fb9f7a280f7df34a1c7a4bfe7229a62129777a356f5
Instruction ID: 58bfbabf995a88321eadfb933c4003736ef43543ff30312ad108cd4b2ae6c3b0
Opcode Fuzzy Hash: 09a45411818a0b4ee6680fb9f7a280f7df34a1c7a4bfe7229a62129777a356f5
Instruction Fuzzy Hash: 8451BFB16283059BDB209F24CC92B7733B4EF86758F148958F9898B291F375DC15C761

Function 00281860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: d787c051b2bbc29e8a85f6dd4a4cc125ef525665405a20b45637f653a310b1ed
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: CA61D43562A3029BD718EE28C58071FBBEAABC5350F64C92DE4898B3D5D270DDB2D741

Function 002882D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3fd06c8e6b9f7b0b38d0ba5d03ea5954e0d603105a6da3ce5f8f38e16b3bea
Instruction ID: c1619376cac708fbe99b8154b3b9303ad335209f90d5cd7bc0a277ccd626c73a
Opcode Fuzzy Hash: 1d3fd06c8e6b9f7b0b38d0ba5d03ea5954e0d603105a6da3ce5f8f38e16b3bea
Instruction Fuzzy Hash: 79615B3BB7B9914BC314653C5C453A6AA831BD2330FBEC3A6D9B18B3E5CDA94C114342

Function 002642FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768825d75d7e4c5fc15e46df28573466f8d19bb1eeca4785930e067c2c322d1d
Instruction ID: 15ccccc45ccb1f0208436e3635da2e57e889f8dec1ba093e9fea43b5cf86f0a9
Opcode Fuzzy Hash: 768825d75d7e4c5fc15e46df28573466f8d19bb1eeca4785930e067c2c322d1d
Instruction Fuzzy Hash: 3481E3B4810B00AFD360EF39D947757BEF4AB06201F404A1DE8EA96654E730A469CBE2

Function 0028E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 87807f0eee39746e343ce2dd6eda0a6b38f79f484d3db171e52f4b68bb146b96
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 95517AB56083448FE714DF69D49435BBBE1BB89318F054E2DE4E983390E379DA088B82

Function 00297520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9aee55d79729f9f68625d7d8011922a1255936bdb889c6e105e018dbe8c8d07
Instruction ID: ec9054e8a2aad5ce1b0eb72b64f56b8ab0f60b9604b2d4fab3d041d416a253cf
Opcode Fuzzy Hash: f9aee55d79729f9f68625d7d8011922a1255936bdb889c6e105e018dbe8c8d07
Instruction Fuzzy Hash: 95510A3163C2119BCB159E18DC90B2EF7E6FF86354F284A2CE8D957391D631EC208B91

Function 003653FC Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ada8e9881c7e67f3ec90583447792324d1f09c8d1850960f69edf2b93dae909
Instruction ID: 601d6d73e931159407b926317b65916f4149971ee2c11907ef7de592067f3568
Opcode Fuzzy Hash: 1ada8e9881c7e67f3ec90583447792324d1f09c8d1850960f69edf2b93dae909
Instruction Fuzzy Hash: 9B4128F3B08204AFF3189A19ED00B7AFBD6DBD4721F16C93DEA84C7744E93998054692

Function 00255A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0002503512205aa0995cf87c0c8f1511be049dda040d929277150fa010f769a3
Instruction ID: 3cd9c4d6ca7ff83a7d10dafd0b71d376ada85da74b45b6b9ff2b948d84f935c4
Opcode Fuzzy Hash: 0002503512205aa0995cf87c0c8f1511be049dda040d929277150fa010f769a3
Instruction Fuzzy Hash: 49513570A247119FC714DF14C8A0926B7A0FF8532AF15466CFC998B342D730EC66CB9A

Function 003F5503 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139b09548f7bdcac812cde1772382f331be05c47a6d5729d52b1f1c4c96371a7
Instruction ID: cdfb0273ee2de0affbf9b0fd695593d14578df4b3d8c57d40dc873d128d52665
Opcode Fuzzy Hash: 139b09548f7bdcac812cde1772382f331be05c47a6d5729d52b1f1c4c96371a7
Instruction Fuzzy Hash: 094177F7F041044BD310AD3EDD5476ABBDA9BD5270F2B873EA5A4C3B88E9748A064251

Function 0027EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07e1182d17218db6acef17352b51d93e6ad63e754c942773f4eda5596be4858
Instruction ID: 235c3a303bf5d337f037ac1788dbb82c4ff61b2dca8a22c263d775c397a18cf9
Opcode Fuzzy Hash: c07e1182d17218db6acef17352b51d93e6ad63e754c942773f4eda5596be4858
Instruction Fuzzy Hash: 4A41A378910316DFDF208F54DC91BADB7B0FF0A354F144589E945AB3A1EB389960CBA1

Function 00299B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a567930be5625a4afe4dd5172994adfbd3afad94b85f7559fd23b4c90e1c7945
Instruction ID: a8989aa10d28cce2a5176315a52a50904fe03a36444133915e66c8a84c8514a6
Opcode Fuzzy Hash: a567930be5625a4afe4dd5172994adfbd3afad94b85f7559fd23b4c90e1c7945
Instruction Fuzzy Hash: 72418034218301ABDB10DF19DD90B2FF7E6EB99724F54882DF58997251D335E860CBA2

Function 00262030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5b273e6cf796b1aac8f86cc653c847bd64985389284a0492ac28619e176669
Instruction ID: 29c8e5f72bdd888da75be17496d3912a9bfa844a952a987275aff038be63a97b
Opcode Fuzzy Hash: 3f5b273e6cf796b1aac8f86cc653c847bd64985389284a0492ac28619e176669
Instruction Fuzzy Hash: 87412832A1C7654FD35CCE29C49023ABBE2AFC5300F19C26EE4D6873D1DAB58999D781

Function 00261E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19c9b1ee2aa01b2f2b9383d5dcb5b8a54f446b602916f83d3e3cc2c6b9e4963
Instruction ID: f6b03553ce9fbde6293bbdd18a40cf8b121f8122cfb211479ca60110a622aa89
Opcode Fuzzy Hash: b19c9b1ee2aa01b2f2b9383d5dcb5b8a54f446b602916f83d3e3cc2c6b9e4963
Instruction Fuzzy Hash: 1441EF745183809BD320AB58D888B1EFBF5FB86344F184D1DF6C497292C37AE8648F66

Function 00298D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a3804d3938f06cb9bf655c59a79dd79bb366592b9653cf186f303b2a4a9d03
Instruction ID: 5e29f6bea56495633e2d023cc5df94225492268d77dc45487b24483d3a0dee82
Opcode Fuzzy Hash: f3a3804d3938f06cb9bf655c59a79dd79bb366592b9653cf186f303b2a4a9d03
Instruction Fuzzy Hash: 9541A03161C2518FCB04DF68C49062EFBE6AF9A300F198A1ED4D5DB291DB75DD118B92

Function 0026D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab8d4bf7698ffb6e6167049101d5a4225fa965e1d7465c5cd64c0f090ef68d3
Instruction ID: 0e553d270fef63849de773897207583ce944c02d2c0239e74226594af69aa97e
Opcode Fuzzy Hash: 5ab8d4bf7698ffb6e6167049101d5a4225fa965e1d7465c5cd64c0f090ef68d3
Instruction Fuzzy Hash: FB41CEB1A18385CBD7309F14C885BAFB7B0FF9A360F040958E48A8B751E7744890CB97

Function 0028F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: e8634bb0d324952ff0979b45ec8cc67ca36ad88fa6a5400b02893ba4ccd1fce8
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: A22137369192258BC324AF19C98063BF7E8EB99704F16863ED8C4A7295E3359C2487E1

Function 002967EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9efa623048389cbeab7bc3cad532ef1524468dd8df3c3e19c54fc844c003c5e
Instruction ID: 9653cafc7c8d82a4ce55b884b12fa8acdb01439e2387a95db9070f5924879036
Opcode Fuzzy Hash: a9efa623048389cbeab7bc3cad532ef1524468dd8df3c3e19c54fc844c003c5e
Instruction Fuzzy Hash: 1531167052C3829AEB14CF14C49462FBBF0EF96784F54580DF4C8AB261D734D995CB9A

Function 00275E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91302cd3148982147c6405f92f1c621cdd131cbeed2613a52f6f37c104d7718f
Instruction ID: 604b29a7f921ae3e251b0366cb662088282e67daa634430c09b6ca242e96b26b
Opcode Fuzzy Hash: 91302cd3148982147c6405f92f1c621cdd131cbeed2613a52f6f37c104d7718f
Instruction Fuzzy Hash: 3B21B2705287219BD310AF28C84192BF7F4EF92765F54891CF4D99B291E374D924CBA3

Function 002549A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 0cd14f839ef75af68560cc17a76546884917702c5c435799155f7f56db0a719f
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: CB31DB356682419FD750AE18D89153BF7E1EF8835EF18852CEC9A87241D231ECA6CB4E

Function 002964B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb879cd3b9ec6d11548254425c9424244ddd715c96e3f80de4c717a727b6fa0
Instruction ID: 0752dac6de0c1a874c75654083345f25d31573fad5cc286582959868ecf663d0
Opcode Fuzzy Hash: ccb879cd3b9ec6d11548254425c9424244ddd715c96e3f80de4c717a727b6fa0
Instruction Fuzzy Hash: 6921697052C201DFCB14EF59E988A2EF7E5FB86740F18981CE4C493261C731A860DB62

Function 004AE84B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2df74da514fa525f895e0854f964fdff2f5f59989dbdaaae99aae0e39044c60
Instruction ID: 38641a8bdf2e293415adac93e1daa493a0b9f2b37846706cd146f378a05e6ef5
Opcode Fuzzy Hash: a2df74da514fa525f895e0854f964fdff2f5f59989dbdaaae99aae0e39044c60
Instruction Fuzzy Hash: 4821A3B390C6149FD709AE18DC9267AF7E5EF98310F16093EE6C693750EA725810CA87

Function 0028B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5667f6e60b6845f69bfd040100fd8cfe5d39c7896d5e8da9ebd83ed647f14b21
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3311E937A261E50EC3179D3C8440565BFA71AA3235F5D439DF4B49B2D2E7238D8A8354

Function 00280B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: efdb6818a55dc4d288436298ea1ff67534e2f36e0ee7d8fd49b356725ece422d
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 0D0175F9A223024BE760BE5498D1B3BB7A8AF4071CF18452CD80657281EB75EC2DC795

Function 0027D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e81f95fd554c801ad63bc78c46ecb2c8ee4f431597ad14832fb2aaeb7889d
Instruction ID: 87ea5bbae26f2a6db34b4214b04e105834d22b9a405a4c4499367cfe4d2b5f52
Opcode Fuzzy Hash: 6e5e81f95fd554c801ad63bc78c46ecb2c8ee4f431597ad14832fb2aaeb7889d
Instruction Fuzzy Hash: 6E11EFB0418380AFD310AF618484A2FFBF5EB96714F148C0DF5A89B252C375D829CF56

Function 00256EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef6622822830416d2f0de231aa09de1f07fe8c65b353e3a748809a970225a59
Instruction ID: b65eacea8ac8369711619d7ca0057da3ac19e481da6a0dbd7806409063647133
Opcode Fuzzy Hash: 5ef6622822830416d2f0de231aa09de1f07fe8c65b353e3a748809a970225a59
Instruction Fuzzy Hash: 02F0503EB2920A0F6211CDAAF888837F3D6D7D5765B041539EE42C3601CDB1E80541D4

Function 0028B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0026C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0026B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: d84b4d5b7dd2acf2217b5f1f8e139bb66cc9d86e3d789cc45be14c1a345a3928
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 32F0ECB261851057DF238E559CD0F37BB9CCB97354F190426E845D7103D66158D5C3E5

Function 00288220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dc4073fd8fb0ca3c14600393a396c6eac6027f34251f61c179f555c1336ed5
Instruction ID: 9121221245049fb8f6a019d762213f1df50aafb9264b1584c69e1490cd3ad07d
Opcode Fuzzy Hash: d3dc4073fd8fb0ca3c14600393a396c6eac6027f34251f61c179f555c1336ed5
Instruction Fuzzy Hash: 7F01E4B04147009FC360EF29C545747BBE8EB08714F504A1DE8AECB680D770A5548B82

Function 00291440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 93a7ac35ae5c8f104dad156d2414b7a9538b86abfff3297483a63e638a4ae6ef
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: D3D0A731608323469F748E1AA400977F7F0EACBB51F49A55EF586E3148D230DC51C2A9

Function 00261ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a77950fc3dae8eaf8b34a43fb66277a93e4355984c4379ea366d319741fe7dd
Instruction ID: ffc3fa0ccbdb4ff819d19bab9322d26cabae3a34e168629d1ca6b38daec8e7ee
Opcode Fuzzy Hash: 5a77950fc3dae8eaf8b34a43fb66277a93e4355984c4379ea366d319741fe7dd
Instruction Fuzzy Hash: 49C01234A680008B82849F50BA99432B6B8A38B308710702ADA03E3221CAA0E8228A09

Function 00296094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051ac1da3f1ee24ab14901ead50511375c239604e60864a4e6e25e468358d386
Instruction ID: aa0a8bc49b24cd1027a908370cc1c93292af9e731a1aa0935bcd5dfc2c50a96d
Opcode Fuzzy Hash: 051ac1da3f1ee24ab14901ead50511375c239604e60864a4e6e25e468358d386
Instruction Fuzzy Hash: FDC04C3466C000879508CE04A955475E2679AA7728624B419D80623655C624D512952C

Function 00261A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97a4f3995b06ae2efdfc1f1b24e560737f280cdc2c075c91cefbc661f3f3c6d
Instruction ID: 4efb883366f9ae727c68840242f95fa6c4f9c6d97082efbb3742799e6bd1193c
Opcode Fuzzy Hash: b97a4f3995b06ae2efdfc1f1b24e560737f280cdc2c075c91cefbc661f3f3c6d
Instruction Fuzzy Hash: 32C04C25AA90408A82C48E85BA95431A2E85306308714303B9706E7261C5A0D4158609

Function 00295FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2083084130.0000000000251000.00000040.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2083067638.0000000000250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000054D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083117895.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083342495.000000000055D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083442029.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2083458063.00000000006FE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d761e919650a49570c53c97d475e3c1e3d9ef66ad03455e3bac7854f43a6835b
Instruction ID: 15d0145d5433e7d3081c5581eca8ec8d8faaccbe971e1ff252adbadfe7325535
Opcode Fuzzy Hash: d761e919650a49570c53c97d475e3c1e3d9ef66ad03455e3bac7854f43a6835b
Instruction Fuzzy Hash: 6CC09224B680008BA24CCF18ED56975F2BB9BABA2CB14B82DD806A3256D934D512862C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 0025FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0025D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00295700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00295BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0029695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0026049B Relevance: .3, Instructions: 264
COMMON

Function 0050686D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
memoryCOMMON

Function 00293220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00293202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON