Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528898
MD5:	4906df588975aa33a2eed7c05a04ad74
SHA1:	933f7c08c12fa78c7cf7efdfe9ed3dfb13a9cd1c
SHA256:	d323f2034ee22ad7b02394182f3d52456b3fb3a37bc0d1cea888c5a482c88a26
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4906DF588975AA33A2EED7C05A04AD74)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["dissapoiznw.storec", "spirittunek.storec", "bathdoomgaz.storec", "eaglepawnoy.storec", "licendfilteo.sitec", "studennotediw.storec", "mobbipenju.store", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.880529+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.7	62893	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.809070+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.7	50314	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.859375+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.7	57761	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.848009+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.7	64806	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.902807+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.7	60290	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.835328+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.7	61681	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.891418+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.7	52156	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T12:32:14.870077+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.7	58670	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7440.2.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.storec", "spirittunek.storec", "bathdoomgaz.storec", "eaglepawnoy.storec", "licendfilteo.sitec", "studennotediw.storec", "mobbipenju.store", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 17%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 13%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 13%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 13%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 13%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A550FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A1D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A1D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	2_2_00A563B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	2_2_00A599D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	2_2_00A5695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00A1FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_00A20EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	2_2_00A56094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	2_2_00A26F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	2_2_00A4F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	2_2_00A11000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	2_2_00A54040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_00A3D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_00A242FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00A32260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	2_2_00A32260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	2_2_00A1A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	2_2_00A564B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_00A3E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00A2B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_00A3C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00A51440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00A2D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	2_2_00A18590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	2_2_00A57520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_00A26536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00A39510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_00A3E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00A4B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_00A3D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_00A567EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A55700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_00A57710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00A328E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00A149A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	2_2_00A53920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00A2D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	2_2_00A21ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	2_2_00A21A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	2_2_00A54A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00A15A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00A40B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_00A23BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	2_2_00A21BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	2_2_00A59B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	2_2_00A2DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	2_2_00A2DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	2_2_00A3AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	2_2_00A3AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A59CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	2_2_00A59CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	2_2_00A3CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A3CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	2_2_00A3CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	2_2_00A4FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00A37C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	2_2_00A3EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A58D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_00A3DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	2_2_00A3FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00A16EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	2_2_00A1BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	2_2_00A26EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	2_2_00A21E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	2_2_00A24E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00A37E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A35E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	2_2_00A3AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	2_2_00A26F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	2_2_00A57FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A57FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	2_2_00A18FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	2_2_00A55FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	2_2_00A2FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	2_2_00A39F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00A4FF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:61681 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:60290 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:50314 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:62893 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:58670 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:52156 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:64806 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:57761 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: spirittunek.storec
Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: clearancek.site

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000002.00000003.1355118670.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=0b1e54059271a69168a9485f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 10:32:16 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355890375.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355890375.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355890375.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000002.00000002.1355931266.0000000001446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000002.00000002.1355812204.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900$
Source: file.exe, 00000002.00000002.1355931266.0000000001446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900n%w
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/765611997243319007nP
Source: file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000002.00000003.1355090621.000000000146B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355992457.0000000001472000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1355118670.0000000001471000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49713 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A20228	2_2_00A20228
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5A0D0	2_2_00A5A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A22030	2_2_00A22030
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A11000	2_2_00A11000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A54040	2_2_00A54040
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042	2_2_00BD2042
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1E1A0	2_2_00A1E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A171F0	2_2_00A171F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A15160	2_2_00A15160
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A112F7	2_2_00A112F7
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A482D0	2_2_00A482D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A412D0	2_2_00A412D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1B3A0	2_2_00A1B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A113A3	2_2_00A113A3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A423E0	2_2_00A423E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1A300	2_2_00A1A300
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BE1308	2_2_00BE1308
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A24487	2_2_00A24487
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A2049B	2_2_00A2049B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A464F0	2_2_00A464F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BDC4C7	2_2_00BDC4C7
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BE64C5	2_2_00BE64C5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00B7C47D	2_2_00B7C47D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A3C470	2_2_00A3C470
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A135B0	2_2_00A135B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A18590	2_2_00A18590
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A2C5F0	2_2_00A2C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A586F0	2_2_00A586F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A4F620	2_2_00A4F620
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD5662	2_2_00BD5662
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1164F	2_2_00A1164F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A58652	2_2_00A58652
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A4E8A0	2_2_00A4E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BDA884	2_2_00BDA884
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BE48EA	2_2_00BE48EA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A4B8C0	2_2_00A4B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A41860	2_2_00A41860
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1A850	2_2_00A1A850
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A589A0	2_2_00A589A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A3098B	2_2_00A3098B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BDF969	2_2_00BDF969
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00B19952	2_2_00B19952
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A57AB0	2_2_00A57AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A58A80	2_2_00A58A80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A54A40	2_2_00A54A40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A17BF0	2_2_00A17BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A2DB6F	2_2_00A2DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A56CBF	2_2_00A56CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A3CCD0	2_2_00A3CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A58C02	2_2_00A58C02
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C67D8F	2_2_00C67D8F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BE7DEF	2_2_00BE7DEF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A3DD29	2_2_00A3DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A3FD10	2_2_00A3FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A38D62	2_2_00A38D62
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD8D6B	2_2_00BD8D6B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1BEB0	2_2_00A1BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A26EBF	2_2_00A26EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A24E2A	2_2_00A24E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A58E70	2_2_00A58E70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A3AE57	2_2_00A3AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A57FC0	2_2_00A57FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A18FD0	2_2_00A18FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A1AF10	2_2_00A1AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BDDF04	2_2_00BDDF04

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A1CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A2D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995036613036303
Source: file.exe	Static PE information: Section: iqxagfmt ZLIB complexity 0.9943605210534259

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00A48220 CoCreateInstance,

2_2_00A48220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1866240 > 1048576

Source: file.exe

Static PE information: Raw size of iqxagfmt is bigger than: 0x100000 < 0x19e200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 2.2.file.exe.a10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iqxagfmt:EW;pvplyzty:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iqxagfmt:EW;pvplyzty:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d0950 should be: 0x1cbaa6

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: iqxagfmt
Source: file.exe	Static PE information: section name: pvplyzty
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00CEE0D8 push esi; mov dword ptr [esp], 7E133494h	2_2_00CEE0DD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C130F7 push 2C7F5D56h; mov dword ptr [esp], eax	2_2_00C1312E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C780A1 push ecx; mov dword ptr [esp], 3B2E008Ah	2_2_00C780C4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C780A1 push 1CC49211h; mov dword ptr [esp], ecx	2_2_00C78108
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00CA90A4 push 3907CCD4h; mov dword ptr [esp], ebp	2_2_00CA90B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00CA90A4 push 786048F2h; mov dword ptr [esp], edx	2_2_00CA9818
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00CA90A4 push esi; mov dword ptr [esp], 5EE9C3A5h	2_2_00CA981C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C74045 push ecx; mov dword ptr [esp], eax	2_2_00C74085
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C12013 push ecx; mov dword ptr [esp], 6BFEF8F1h	2_2_00C1203C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C12013 push esi; mov dword ptr [esp], edi	2_2_00C1207C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00C47030 push 0537415Ch; mov dword ptr [esp], ebx	2_2_00C47060
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push edi; mov dword ptr [esp], esi	2_2_00BD2049
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push edx; mov dword ptr [esp], ebp	2_2_00BD208A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push esi; mov dword ptr [esp], edi	2_2_00BD213C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push edx; mov dword ptr [esp], edi	2_2_00BD2253
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push ecx; mov dword ptr [esp], edx	2_2_00BD22E7
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push esi; mov dword ptr [esp], edi	2_2_00BD23A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push 26461C9Eh; mov dword ptr [esp], esi	2_2_00BD241E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push edi; mov dword ptr [esp], esi	2_2_00BD243F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push edx; mov dword ptr [esp], ebp	2_2_00BD2483
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push ecx; mov dword ptr [esp], esi	2_2_00BD248F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push edi; mov dword ptr [esp], ebp	2_2_00BD2523
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push 75D93041h; mov dword ptr [esp], edi	2_2_00BD25B8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push eax; mov dword ptr [esp], ebp	2_2_00BD2617
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push 041D7497h; mov dword ptr [esp], eax	2_2_00BD261F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push 12482DCCh; mov dword ptr [esp], ebp	2_2_00BD269B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push 0DC87D6Ah; mov dword ptr [esp], edi	2_2_00BD271C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push 5C43FCF3h; mov dword ptr [esp], edx	2_2_00BD2781
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push ebp; mov dword ptr [esp], edx	2_2_00BD278D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push ebp; mov dword ptr [esp], 7853AC86h	2_2_00BD2791
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00BD2042 push eax; mov dword ptr [esp], ebx	2_2_00BD2839

Source: file.exe	Static PE information: section name: entropy: 7.980837503292299
Source: file.exe	Static PE information: section name: iqxagfmt entropy: 7.954662420939759

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73B2A second address: A73B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73B38 second address: A73B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F900CB7E41Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73B4A second address: A73B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEDAAA second address: BEDAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEDC17 second address: BEDC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F900CFF60D6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEDC29 second address: BEDC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEE0B6 second address: BEE0BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEE0BC second address: BEE0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF16CA second address: BF1732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F900CFF60D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F900CFF60D8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov edx, dword ptr [ebp+122D2AC4h] 0x0000002f xor ecx, dword ptr [ebp+122D28E8h] 0x00000035 push 00000000h 0x00000037 cmc 0x00000038 call 00007F900CFF60D9h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 jmp 00007F900CFF60DCh 0x00000045 jmp 00007F900CFF60E2h 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1732 second address: BF1740 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1740 second address: BF1744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF185D second address: BF1884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E428h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F900CB7E416h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1884 second address: BF188A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF188A second address: BF188F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1924 second address: BF1968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d jmp 00007F900CFF60E4h 0x00000012 add edx, 347F3904h 0x00000018 push 8E15FEC3h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1968 second address: BF1986 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E422h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F900CB7E41Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1986 second address: BF19F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 71EA01BDh 0x0000000c and dx, 4369h 0x00000011 push 00000003h 0x00000013 jmp 00007F900CFF60E5h 0x00000018 push 00000000h 0x0000001a mov edx, esi 0x0000001c push 00000003h 0x0000001e cmc 0x0000001f push 4962AD9Eh 0x00000024 jmp 00007F900CFF60DFh 0x00000029 add dword ptr [esp], 769D5262h 0x00000030 lea ebx, dword ptr [ebp+12451575h] 0x00000036 mov edx, 6C51ED54h 0x0000003b xchg eax, ebx 0x0000003c pushad 0x0000003d jmp 00007F900CFF60E2h 0x00000042 push eax 0x00000043 push edx 0x00000044 jno 00007F900CFF60D6h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1A70 second address: BF1A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1A74 second address: BF1B10 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dl, bl 0x0000000f mov edx, dword ptr [ebp+122D2B78h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F900CFF60D8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 70AE5633h 0x00000036 push edx 0x00000037 jmp 00007F900CFF60E7h 0x0000003c pop edx 0x0000003d xor dword ptr [esp], 70AE56B3h 0x00000044 jg 00007F900CFF60DCh 0x0000004a push 00000003h 0x0000004c jmp 00007F900CFF60DBh 0x00000051 mov di, 5413h 0x00000055 push 00000000h 0x00000057 call 00007F900CFF60DAh 0x0000005c movzx ecx, si 0x0000005f pop edx 0x00000060 push 00000003h 0x00000062 mov si, 7731h 0x00000066 mov esi, dword ptr [ebp+122D2AF4h] 0x0000006c push 6B34A954h 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 push esi 0x00000075 pop esi 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1B10 second address: BF1B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F900CB7E41Bh 0x0000000b popad 0x0000000c add dword ptr [esp], 54CB56ACh 0x00000013 mov edx, dword ptr [ebp+122D31E5h] 0x00000019 lea ebx, dword ptr [ebp+12451580h] 0x0000001f mov dword ptr [ebp+122D3161h], esi 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1B41 second address: BF1B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1307F second address: C13083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11286 second address: C1128C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1128C second address: C11290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11290 second address: C112AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F900CFF60E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C112AE second address: C112C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CB7E416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b jnp 00007F900CB7E43Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F900CB7E416h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C112C9 second address: C112CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C112CD second address: C112D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11431 second address: C11450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CFF60E3h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11450 second address: C11455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11716 second address: C11723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F900CFF60D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11B3B second address: C11B5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E427h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11B5E second address: C11B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11B62 second address: C11B75 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F900CB7E416h 0x00000008 jnc 00007F900CB7E416h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11B75 second address: C11B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11F97 second address: C11F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C11F9B second address: C11FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05333 second address: C0534C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0534C second address: C05352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12121 second address: C12139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E420h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12139 second address: C12154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E2h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1277E second address: C12784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12784 second address: C12788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12788 second address: C1278C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1278C second address: C12798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12798 second address: C1279E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12AAD second address: C12ACC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F900CFF60DFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F900CFF60D6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12ACC second address: C12AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12AD0 second address: C12AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jng 00007F900CFF60D6h 0x0000000d je 00007F900CFF60D6h 0x00000013 pop edx 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F900CFF60DCh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12AF6 second address: C12AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12AFA second address: C12B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12B06 second address: C12B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C18E78 second address: C18E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C18E82 second address: C18E96 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F900CB7E416h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C18E96 second address: C18E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C18E9A second address: C18EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C19066 second address: C1906B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B46C second address: C1B49B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F900CB7E41Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B49B second address: C1B49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B49F second address: C1B4A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B4A3 second address: C1B4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F900CFF60D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1EAE0 second address: C1EAE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD1B71 second address: BD1BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CFF60E5h 0x00000009 jmp 00007F900CFF60E7h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1DF95 second address: C1DF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1DF99 second address: C1DFA5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F900CFF60D6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1DFA5 second address: C1DFBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007F900CB7E41Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1DFBD second address: C1DFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1DFC1 second address: C1DFC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E282 second address: C1E286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E286 second address: C1E28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E28A second address: C1E2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F900CFF60D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F900CFF60F1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E2B7 second address: C1E2C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E6F1 second address: C1E718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F900CFF60DDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jng 00007F900CFF60D6h 0x00000018 jg 00007F900CFF60D6h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2075C second address: C20772 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F900CB7E416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F900CB7E416h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C20772 second address: C20776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C20776 second address: C2077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2077C second address: C20786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2081C second address: C20839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F900CB7E416h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e js 00007F900CB7E41Ch 0x00000014 jnl 00007F900CB7E416h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C20A05 second address: C20A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C20A09 second address: C20A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C20FE8 second address: C2100D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], ebx 0x0000000a mov esi, dword ptr [ebp+122D2984h] 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F900CFF60E2h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C210BE second address: C210C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C210C2 second address: C210CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C210CF second address: C210DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F900CB7E416h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C214EB second address: C21503 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F900CFF60DCh 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21A66 second address: C21A8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F900CB7E42Ah 0x00000013 jmp 00007F900CB7E424h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2240F second address: C2241A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C222ED second address: C22304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F900CB7E41Ch 0x0000000a jns 00007F900CB7E416h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C22304 second address: C22309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C233EC second address: C2340A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F900CB7E418h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jno 00007F900CB7E41Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2340A second address: C2340E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2340E second address: C23466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F900CB7E418h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push ecx 0x00000026 cmc 0x00000027 pop esi 0x00000028 mov esi, dword ptr [ebp+122D2A48h] 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D3320h] 0x00000036 push 00000000h 0x00000038 mov di, dx 0x0000003b push eax 0x0000003c js 00007F900CB7E422h 0x00000042 je 00007F900CB7E41Ch 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C23EC3 second address: C23EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C249B1 second address: C249B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C25FF1 second address: C26084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 or edi, 6B4C0DE1h 0x0000000e push 00000000h 0x00000010 mov esi, dword ptr [ebp+1244DC89h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F900CFF60D8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 jo 00007F900CFF60DAh 0x00000038 mov si, 9EF3h 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e jng 00007F900CFF60EFh 0x00000044 jmp 00007F900CFF60E9h 0x00000049 jno 00007F900CFF60D8h 0x0000004f popad 0x00000050 push eax 0x00000051 pushad 0x00000052 jne 00007F900CFF60ECh 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2682C second address: C26830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26830 second address: C26836 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2B2AC second address: C2B2C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E423h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2C27E second address: C2C282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2D342 second address: C2D35F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E39A second address: C2E3B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F406 second address: C2F42E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F900CB7E425h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E554 second address: C2E558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E558 second address: C2E597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F900CB7E423h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F900CB7E424h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F900CB7E41Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F64E second address: C2F654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F654 second address: C2F658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F702 second address: C2F719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F900CFF60DCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C304A6 second address: C304B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F900CB7E416h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C304B5 second address: C304B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C304B9 second address: C3050D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 jg 00007F900CB7E421h 0x0000000e jmp 00007F900CB7E41Bh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a movsx ebx, dx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 xor dword ptr [ebp+1244E929h], eax 0x0000002a sub dword ptr [ebp+1245252Fh], edx 0x00000030 mov eax, dword ptr [ebp+122D123Dh] 0x00000036 xor ebx, dword ptr [ebp+122D3153h] 0x0000003c push FFFFFFFFh 0x0000003e mov dword ptr [ebp+122D2F7Bh], edx 0x00000044 nop 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 je 00007F900CB7E416h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3256A second address: C3257A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3257A second address: C3257F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3262E second address: C32640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F900CFF60D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3050D second address: C30531 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C335F8 second address: C335FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3479C second address: C347A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C32752 second address: C32758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C32758 second address: C3275C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C39F15 second address: C39F1F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3AEB7 second address: C3AEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F900CB7E416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3AEC1 second address: C3AF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub bx, 9BB8h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F900CFF60D8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e add dword ptr [ebp+1247B237h], edi 0x00000034 push eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 jl 00007F900CFF60D6h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3AF0A second address: C3AF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BF1A second address: C3BF50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F900CFF60D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 jmp 00007F900CFF60DCh 0x00000016 push 00000000h 0x00000018 jc 00007F900CFF60DCh 0x0000001e sub dword ptr [ebp+12452A82h], esi 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jnc 00007F900CFF60D6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BF50 second address: C3BF56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BF56 second address: C3BF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BF5C second address: C3BF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C359B2 second address: C359D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C359D5 second address: C359DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C359DA second address: C359E4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F900CFF60DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C37FD3 second address: C37FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C37FD7 second address: C37FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C37FDD second address: C38007 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F900CB7E427h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jne 00007F900CB7E416h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C38FA2 second address: C38FB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C38FB8 second address: C39050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 movsx edi, bx 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F900CB7E418h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F900CB7E418h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e xor ebx, dword ptr [ebp+1246AE88h] 0x00000054 mov eax, dword ptr [ebp+122D15E5h] 0x0000005a jnc 00007F900CB7E429h 0x00000060 push FFFFFFFFh 0x00000062 mov ebx, dword ptr [ebp+122D3A13h] 0x00000068 nop 0x00000069 js 00007F900CB7E420h 0x0000006f pushad 0x00000070 jbe 00007F900CB7E416h 0x00000076 pushad 0x00000077 popad 0x00000078 popad 0x00000079 push eax 0x0000007a pushad 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DF72 second address: C3DF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CFF60E0h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DF8A second address: C3DF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DF8E second address: C3DFB4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F900CFF60D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F900CFF60E5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DFB4 second address: C3DFBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DFBC second address: C3DFC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F900CFF60E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DFC6 second address: C3DFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F900CB7E416h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3DFD4 second address: C3DFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3A0CA second address: C3A0DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F900CB7E420h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C0EF second address: C3C0F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C0F4 second address: C3C169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D338Bh], edi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F900CB7E418h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov ebx, dword ptr [ebp+122D37D2h] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov bx, cx 0x00000041 mov eax, dword ptr [ebp+122D14A1h] 0x00000047 mov dword ptr [ebp+122D385Dh], edi 0x0000004d push FFFFFFFFh 0x0000004f clc 0x00000050 movsx ebx, si 0x00000053 push eax 0x00000054 jnp 00007F900CB7E432h 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F900CB7E424h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48915 second address: C48951 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F900CFF60D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jp 00007F900CFF60E2h 0x00000013 jnp 00007F900CFF60DCh 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e jmp 00007F900CFF60E4h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48951 second address: C48955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDF499 second address: BDF4BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F900CFF60E9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDF4BC second address: BDF4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F900CB7E416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDDA6B second address: BDDA75 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F900CFF60DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58B8D second address: C58BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E423h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F900CB7E41Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58BAC second address: C58BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58BB0 second address: C58BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F900CB7E41Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C27C92 second address: C27C9C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C27C9C second address: C27CA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C27CA1 second address: C05333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and dh, FFFFFFF5h 0x0000000f lea eax, dword ptr [ebp+124879E4h] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F900CFF60D8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov cl, 02h 0x00000031 mov ecx, dword ptr [ebp+12475CA8h] 0x00000037 push eax 0x00000038 push ebx 0x00000039 jns 00007F900CFF60E9h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp], eax 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007F900CFF60D8h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000016h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov edi, dword ptr [ebp+122D2BC8h] 0x00000063 call dword ptr [ebp+122D332Fh] 0x00000069 push ecx 0x0000006a push eax 0x0000006b push edx 0x0000006c push edi 0x0000006d pop edi 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28372 second address: C28376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28376 second address: C2837A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2837A second address: C2839B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F900CB7E41Ch 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F900CB7E41Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2839B second address: C2839F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2839F second address: C283B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C283B0 second address: C283EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F900CFF60E5h 0x00000010 pop eax 0x00000011 add ecx, 3DC6BC88h 0x00000017 push 5CC32BC2h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F900CFF60E0h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C283EE second address: C283F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2851D second address: C28531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov dword ptr [esp], esi 0x00000009 mov dword ptr [ebp+122D37A7h], eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28607 second address: C2860B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2860B second address: C2862A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F900CFF60E5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2862A second address: C2864F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F900CB7E41Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2864F second address: C28673 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28673 second address: C28678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28F7A second address: C28F88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F900CFF60D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28F88 second address: C28F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28F8C second address: C28FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c push esi 0x0000000d jne 00007F900CFF60D6h 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [eax] 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28FA8 second address: C28FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C29086 second address: C290A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add dword ptr [ebp+12452A95h], eax 0x0000000d lea eax, dword ptr [ebp+12487A28h] 0x00000013 stc 0x00000014 nop 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C290A0 second address: C290A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C290A4 second address: C290B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F900CFF60D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C290B7 second address: C290FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jno 00007F900CB7E422h 0x0000000d nop 0x0000000e movzx edi, dx 0x00000011 lea eax, dword ptr [ebp+124879E4h] 0x00000017 movsx edi, dx 0x0000001a nop 0x0000001b push edx 0x0000001c jnl 00007F900CB7E41Ch 0x00000022 pop edx 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F900CB7E41Bh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C290FA second address: C290FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C290FF second address: C05EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov cx, 2EFAh 0x0000000c sub ecx, dword ptr [ebp+122D2A58h] 0x00000012 call dword ptr [ebp+122D33F8h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F900CB7E423h 0x0000001f pushad 0x00000020 push edi 0x00000021 pop edi 0x00000022 pushad 0x00000023 popad 0x00000024 jnp 00007F900CB7E416h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5E9B second address: BE5EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5EA5 second address: BE5EAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5EAB second address: BE5EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5EB5 second address: BE5EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5EBB second address: BE5EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5EBF second address: BE5ED0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5ED0 second address: BE5F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E6h 0x00000007 push ecx 0x00000008 jmp 00007F900CFF60DEh 0x0000000d jg 00007F900CFF60D6h 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F900CFF60E1h 0x0000001d jmp 00007F900CFF60DCh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5F1F second address: BE5F40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F900CB7E416h 0x00000009 jmp 00007F900CB7E426h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57CC7 second address: C57CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57CD1 second address: C57CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CB7E41Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F900CB7E416h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57FF9 second address: C5800A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CFF60DAh 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5800A second address: C58010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5812F second address: C58140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F900CFF60D6h 0x0000000a jnc 00007F900CFF60D6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58140 second address: C58145 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58145 second address: C5815F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CFF60E1h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5815F second address: C58163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58163 second address: C58199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F900CFF60DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F900CFF60DBh 0x00000015 jmp 00007F900CFF60E6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58199 second address: C581C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CB7E416h 0x00000008 jmp 00007F900CB7E41Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F900CB7E41Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C581C3 second address: C581C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D1D1 second address: C5D20C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F900CB7E431h 0x00000010 pushad 0x00000011 jnp 00007F900CB7E416h 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D393 second address: C5D3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F900CFF60D6h 0x0000000a jmp 00007F900CFF60DDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D3AA second address: C5D3BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F900CB7E416h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5CED3 second address: C5CEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c pushad 0x0000000d ja 00007F900CFF60E2h 0x00000013 jns 00007F900CFF60D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5DE9E second address: C5DEA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5E185 second address: C5E189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C640CF second address: C640D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C640D3 second address: C640F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C640F9 second address: C640FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C640FE second address: C64104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64104 second address: C6411F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F900CB7E41Ah 0x00000010 jnc 00007F900CB7E416h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6411F second address: C6412C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6412C second address: C64132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C62E42 second address: C62E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007F900CFF60D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C62FAA second address: C62FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63293 second address: C632E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F900CFF60D6h 0x0000000a jmp 00007F900CFF60E9h 0x0000000f popad 0x00000010 jne 00007F900CFF60E4h 0x00000016 pushad 0x00000017 jmp 00007F900CFF60E8h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C632E6 second address: C632FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jmp 00007F900CB7E41Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C632FF second address: C63304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63304 second address: C63310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 js 00007F900CB7E416h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6349D second address: C634A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C635AB second address: C635C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F900CB7E424h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63775 second address: C6377F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6377F second address: C63787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63787 second address: C6378D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63F0A second address: C63F19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63F19 second address: C63F3A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CFF60D8h 0x00000008 jmp 00007F900CFF60DEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63F3A second address: C63F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63F43 second address: C63F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63F4D second address: C63F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E429h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C681FE second address: C6826E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F900CFF60D6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F900CFF60DEh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a je 00007F900CFF60E8h 0x00000020 jmp 00007F900CFF60E2h 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007F900CFF60E5h 0x0000002c push eax 0x0000002d push edx 0x0000002e jnl 00007F900CFF60D6h 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6826E second address: C68285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E28C second address: C6E2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop eax 0x00000009 jmp 00007F900CFF60DDh 0x0000000e popad 0x0000000f pushad 0x00000010 js 00007F900CFF60DAh 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F900CFF60D6h 0x0000001e jne 00007F900CFF60D6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E468 second address: C6E470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE9361 second address: BE9371 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F900CFF60D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE9371 second address: BE937C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F900CB7E416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE937C second address: BE93A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F900CFF60DDh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F900CFF60DCh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7378E second address: C73794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73941 second address: C7395A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F900CFF60D6h 0x0000000a popad 0x0000000b jnc 00007F900CFF60DEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7395A second address: C73971 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F900CB7E41Ah 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jg 00007F900CB7E416h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73C33 second address: C73C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F900CFF60E7h 0x0000000d pop edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73C58 second address: C73C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73C5C second address: C73C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F900CFF60D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F900CFF60EBh 0x00000012 jg 00007F900CFF60E2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73DD8 second address: C73DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73DDC second address: C73DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F900CFF60D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73F58 second address: C73F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CB7E41Dh 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F900CB7E41Ah 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F900CB7E428h 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73F94 second address: C73F99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74268 second address: C7428B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F900CB7E429h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7428B second address: C742A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F900CFF60DDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C742A6 second address: C742AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C742AA second address: C742B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74D4E second address: C74D71 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F900CB7E422h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F900CB7E41Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74D71 second address: C74DD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F900CFF60E5h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F900CFF60E7h 0x0000001a popad 0x0000001b push edi 0x0000001c jmp 00007F900CFF60DCh 0x00000021 js 00007F900CFF60D6h 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74DD5 second address: C74DEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F900CB7E424h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE9399 second address: BE93A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C77BCC second address: C77BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C77BDA second address: C77BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C77BE4 second address: C77C20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F900CB7E416h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f jbe 00007F900CB7E416h 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F900CB7E416h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007F900CB7E418h 0x00000028 jg 00007F900CB7E422h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C77C20 second address: C77C2D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F900CFF60D8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7B3B1 second address: C7B3E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F900CB7E428h 0x0000000e js 00007F900CB7E41Eh 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7B55C second address: C7B590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F900CFF60E4h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F900CFF60DFh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7B6EC second address: C7B71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F900CB7E416h 0x0000000a jmp 00007F900CB7E420h 0x0000000f popad 0x00000010 jmp 00007F900CB7E428h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7B71F second address: C7B726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7B8B8 second address: C7B8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7B8BC second address: C7B8CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 push ebx 0x00000009 jnl 00007F900CFF60D6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7BA0D second address: C7BA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7BA13 second address: C7BA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7BA17 second address: C7BA1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C85012 second address: C85016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C83299 second address: C832A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F900CB7E416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C832A3 second address: C832A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84157 second address: C84165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jno 00007F900CB7E416h 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D68 second address: C28D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84427 second address: C84433 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C846EA second address: C846F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C849A7 second address: C849C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CB7E425h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C849C4 second address: C849C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84C7A second address: C84C80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84C80 second address: C84CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F900CFF60E7h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84CA2 second address: C84CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84CA8 second address: C84CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84CAE second address: C84CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84CB9 second address: C84CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F900CFF60E5h 0x0000000e jnl 00007F900CFF60D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84CDD second address: C84CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C84CE1 second address: C84CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB50 second address: C8CB6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F900CB7E41Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB6D second address: C8CB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB71 second address: C8CB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB79 second address: C8CB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB83 second address: C8CB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB87 second address: C8CB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CB90 second address: C8CB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8CF4B second address: C8CF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F900CFF60DFh 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edi 0x00000010 jmp 00007F900CFF60E4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 je 00007F900CFF60D6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8D337 second address: C8D340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8D340 second address: C8D34A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95232 second address: C95236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95236 second address: C9524D instructions: 0x00000000 rdtsc 0x00000002 js 00007F900CFF60D6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push edx 0x0000000e pushad 0x0000000f jne 00007F900CFF60D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9524D second address: C95253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C954D3 second address: C954D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C954D7 second address: C954DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C954DF second address: C9550E instructions: 0x00000000 rdtsc 0x00000002 js 00007F900CFF60D8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F900CFF60D6h 0x00000013 jmp 00007F900CFF60DBh 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d jl 00007F900CFF60FEh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95921 second address: C95925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95925 second address: C95937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95937 second address: C9593D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95DE4 second address: C95E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E7h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95E00 second address: C95E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95E06 second address: C95E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A9B6 second address: C9A9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F900CB7E416h 0x0000000a jmp 00007F900CB7E41Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAC27D second address: CAC282 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE2918 second address: BE2938 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F900CB7E42Ah 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F900CB7E422h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE2938 second address: BE293D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CABBDB second address: CABBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F900CB7E428h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CABBF9 second address: CABBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CABBFD second address: CABC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CABC01 second address: CABC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jl 00007F900CFF60D6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F900CFF60E8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CABD70 second address: CABDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F900CB7E429h 0x0000000b jns 00007F900CB7E416h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 ja 00007F900CB7E416h 0x0000001b push edx 0x0000001c pop edx 0x0000001d jne 00007F900CB7E416h 0x00000023 jnl 00007F900CB7E416h 0x00000029 popad 0x0000002a popad 0x0000002b push ebx 0x0000002c push ebx 0x0000002d jmp 00007F900CB7E424h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1F06 second address: CB1F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1F0A second address: CB1F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1F15 second address: CB1F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC39C2 second address: CC39C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8BA9 second address: CC8BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F900CFF60D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8CF8 second address: CC8D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD811 second address: CCD817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD817 second address: CCD83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F900CB7E425h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD83D second address: CCD850 instructions: 0x00000000 rdtsc 0x00000002 js 00007F900CFF60DCh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD850 second address: CCD856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD856 second address: CCD861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD26BF second address: CD26EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jno 00007F900CB7E416h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F900CB7E42Fh 0x00000016 jmp 00007F900CB7E423h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD26EA second address: CD26F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD26F4 second address: CD26FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD26FA second address: CD26FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8F47 second address: CD8F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F900CB7E416h 0x0000000f jmp 00007F900CB7E41Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8F61 second address: CD8F67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8F67 second address: CD8F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDDED5 second address: CDDEDF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F900CFF60F0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEDD1A second address: CEDD37 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jmp 00007F900CB7E41Dh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEDD37 second address: CEDD3E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEFE1C second address: CEFE20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09495 second address: D094BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CFF60E4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F900CFF60D6h 0x00000013 jo 00007F900CFF60D6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09654 second address: D09659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09659 second address: D09694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F900CFF60DDh 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F900CFF60DCh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F900CFF60DDh 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09694 second address: D0969C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D097C8 second address: D097DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007F900CFF60DCh 0x0000000f jno 00007F900CFF60D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D097DD second address: D09808 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F900CB7E42Dh 0x00000008 jmp 00007F900CB7E427h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop ecx 0x00000015 push edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09C0C second address: D09C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09D9B second address: D09DA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09DA0 second address: D09DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F900CFF60E2h 0x00000009 jns 00007F900CFF60D6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09DC3 second address: D09DC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A0B6 second address: D0A0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A0C0 second address: D0A0C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A0C8 second address: D0A0CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A0CD second address: D0A0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0BA79 second address: D0BA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F900CFF60E3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D10093 second address: D1009A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1009A second address: D10126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F900CFF60D8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov dh, 39h 0x00000026 mov dword ptr [ebp+122D2FB4h], ecx 0x0000002c push dword ptr [ebp+122D36D0h] 0x00000032 call 00007F900CFF60DBh 0x00000037 push eax 0x00000038 pop edx 0x00000039 pop edx 0x0000003a call 00007F900CFF60D9h 0x0000003f jmp 00007F900CFF60DAh 0x00000044 push eax 0x00000045 pushad 0x00000046 jmp 00007F900CFF60DCh 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e jns 00007F900CFF60D6h 0x00000054 popad 0x00000055 popad 0x00000056 mov eax, dword ptr [esp+04h] 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jns 00007F900CFF60D6h 0x00000063 jmp 00007F900CFF60DBh 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D10126 second address: D1012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1012C second address: D10161 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F900CFF60D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F900CFF60DEh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F900CFF60E3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D113BE second address: D113C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F900CB7E416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D113C8 second address: D113CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D113CE second address: D113D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D113D4 second address: D113D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3656 second address: BD366C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F900CB7E41Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD366C second address: BD3670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12C26 second address: D12C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F900CB7E423h 0x0000000b jmp 00007F900CB7E41Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12C44 second address: D12C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180C1A second address: 5180C2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F900CB7E41Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180C2D second address: 5180D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov dx, 0F36h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, dword ptr [eax+00000FDCh] 0x00000012 jmp 00007F900CFF60DDh 0x00000017 test ecx, ecx 0x00000019 pushad 0x0000001a mov edi, ecx 0x0000001c push ecx 0x0000001d pushfd 0x0000001e jmp 00007F900CFF60DFh 0x00000023 adc ecx, 1E9DEC6Eh 0x00000029 jmp 00007F900CFF60E9h 0x0000002e popfd 0x0000002f pop esi 0x00000030 popad 0x00000031 jns 00007F900CFF6115h 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007F900CFF60DDh 0x0000003e sub si, B4A6h 0x00000043 jmp 00007F900CFF60E1h 0x00000048 popfd 0x00000049 movzx ecx, dx 0x0000004c popad 0x0000004d add eax, ecx 0x0000004f jmp 00007F900CFF60E3h 0x00000054 mov eax, dword ptr [eax+00000860h] 0x0000005a jmp 00007F900CFF60E6h 0x0000005f test eax, eax 0x00000061 pushad 0x00000062 push ecx 0x00000063 mov edi, 29F5E8C0h 0x00000068 pop edx 0x00000069 mov ecx, 57790CB5h 0x0000006e popad 0x0000006f je 00007F907D8AC140h 0x00000075 jmp 00007F900CFF60E0h 0x0000007a test byte ptr [eax+04h], 00000005h 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F900CFF60E7h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180D28 second address: 5180D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180D2E second address: 5180D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180D32 second address: 5180D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C22F5D second address: C22F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C22F62 second address: C22F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A73AAA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A73B85 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C177A7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CA44D2 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7636	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7652	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000002.00000003.1355090621.000000000146B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355812204.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355979615.000000000146C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.000000000146A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWb

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00A55BB0 LdrInitializeThunk,

2_2_00A55BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: VProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
eaglepawnoy.store	18%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse
mobbipenju.store	14%	Virustotal	Browse
bathdoomgaz.store	14%	Virustotal	Browse
spirittunek.store	14%	Virustotal	Browse
dissapoiznw.store	14%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199724331900$	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	true	18%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	true	14%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	true	14%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	true	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	true	14%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dissapoiznw.storec	true		unknown
studennotediw.storec	true		unknown
licendfilteo.sitec	true		unknown
clearancek.site	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
bathdoomgaz.storec	true		unknown
eaglepawnoy.storec	true		unknown
mobbipenju.store	true		unknown
spirittunek.storec	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355890375.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/market/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900$	file.exe, 00000002.00000002.1355812204.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355890375.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.youtube.com	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://clearancek.site:443/api	file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://licendfilteo.site:443/api	file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900n%w	file.exe, 00000002.00000002.1355931266.0000000001446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://store.steampowered.com/	file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/765611997243319007nP	file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355890375.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spirittunek.store:443/api	file.exe, 00000002.00000003.1355031029.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355931266.0000000001450000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000002.00000003.1355031029.0000000001444000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000002.00000003.1354924396.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000002.00000003.1355090621.000000000146B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354940209.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354824103.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1355992457.0000000001472000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1355118670.0000000001471000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1354786582.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000002.00000003.1354786582.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528898
Start date and time:	2024-10-08 12:31:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:32:13	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	main.bin	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lHHfXU6Y37.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	sakura	Get hash	malicious	Unknown	Browse	104.126.113.20
	http://nbxvavlbbnks0ockyfxgnbxva.feedbackfusion.site/4nbXVA123415bxwz821wfgqkoqbno9030GRUYZVSMVMDWDTG236348/3210Y21	Get hash	malicious	Unknown	Browse	23.212.88.20
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	na.elf	Get hash	malicious	Unknown	Browse	104.84.82.83
	Message_2551600.eml	Get hash	malicious	Unknown	Browse	2.19.126.160
	na.elf	Get hash	malicious	Unknown	Browse	23.7.233.67
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	na.elf	Get hash	malicious	Mirai	Browse	23.41.157.216
	na.elf	Get hash	malicious	Mirai	Browse	104.86.71.39
	na.elf	Get hash	malicious	Mirai	Browse	104.85.197.114

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Oilmax Systems Updated.xls	Get hash	malicious	Unknown	Browse	104.102.49.254
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949927663850194
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'866'240 bytes
MD5:	4906df588975aa33a2eed7c05a04ad74
SHA1:	933f7c08c12fa78c7cf7efdfe9ed3dfb13a9cd1c
SHA256:	d323f2034ee22ad7b02394182f3d52456b3fb3a37bc0d1cea888c5a482c88a26
SHA512:	b5c3b2aceafc8e9300839f98404810ed9ced7406b2694a831bb0e6f3b83f027ece8b9ec7f2a47ce9b0b98cf9b2bff652aa44e9550a89a847e3c627a45f76e8b6
SSDEEP:	49152:esS5yDUG8twLRbD4Utyl7pJTgG897+4fXGAjwjtSTS:eDI4Gi+Rf4Sm7p3M+rAssT
TLSH:	B88533932C8CA1A2E60814769053CB5977B1B643E9EC09EF770634F4BF0B72CE9856B5
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@...........................K.....P.....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ae000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F900CDCC2EAh
addps xmm3, dqword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F900CDCE2E5h
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ds
add byte ptr [eax+000000FEh], ah
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	b292c6b803535f070306b0e3721efd4e	False	0.9995036613036303	data	7.980837503292299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2ae000	0x200	86849231052287887383493ab52bba00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
iqxagfmt	0x30e000	0x19f000	0x19e200	256736145bad198b7c3c5f23b8f667ad	False	0.9943605210534259	data	7.954662420939759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pvplyzty	0x4ad000	0x1000	0x400	d8a665a00778d9f34ba94df0339458cb	False	0.7119140625	data	5.653743951245639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ae000	0x3000	0x2200	4e6956375ac9906b04f00f6a67c0bda9	False	0.0739889705882353	DOS executable (COM)	0.988945047346554	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T12:32:14.809070+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.7	50314	1.1.1.1	53	UDP
2024-10-08T12:32:14.835328+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.7	61681	1.1.1.1	53	UDP
2024-10-08T12:32:14.848009+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.7	64806	1.1.1.1	53	UDP
2024-10-08T12:32:14.859375+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.7	57761	1.1.1.1	53	UDP
2024-10-08T12:32:14.870077+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.7	58670	1.1.1.1	53	UDP
2024-10-08T12:32:14.880529+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.7	62893	1.1.1.1	53	UDP
2024-10-08T12:32:14.891418+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.7	52156	1.1.1.1	53	UDP
2024-10-08T12:32:14.902807+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.7	60290	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 12:32:14.929081917 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:14.929104090 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:14.929198027 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:14.932291985 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:14.932306051 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:15.572139025 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:15.572237968 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:15.575301886 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:15.575313091 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:15.575771093 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:15.626570940 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:15.631913900 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:15.679404020 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.091985941 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.092019081 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.092046976 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.092058897 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.092082977 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.092135906 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:16.092150927 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.092202902 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:16.092223883 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:16.179574966 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.179646969 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.179714918 CEST	443	49713	104.102.49.254	192.168.2.7
Oct 8, 2024 12:32:16.179811001 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:16.179863930 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:16.181128025 CEST	49713	443	192.168.2.7	104.102.49.254
Oct 8, 2024 12:32:16.181135893 CEST	443	49713	104.102.49.254	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 12:32:14.809070110 CEST	50314	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.831412077 CEST	53	50314	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.835328102 CEST	61681	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.844341993 CEST	53	61681	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.848009109 CEST	64806	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.856812954 CEST	53	64806	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.859375000 CEST	57761	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.867790937 CEST	53	57761	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.870076895 CEST	58670	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.879208088 CEST	53	58670	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.880528927 CEST	62893	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.889280081 CEST	53	62893	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.891417980 CEST	52156	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.900516033 CEST	53	52156	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.902806997 CEST	60290	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.912005901 CEST	53	60290	1.1.1.1	192.168.2.7
Oct 8, 2024 12:32:14.916332006 CEST	51939	53	192.168.2.7	1.1.1.1
Oct 8, 2024 12:32:14.923476934 CEST	53	51939	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 12:32:14.809070110 CEST	192.168.2.7	1.1.1.1	0x633b	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.835328102 CEST	192.168.2.7	1.1.1.1	0x311	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.848009109 CEST	192.168.2.7	1.1.1.1	0xe4d1	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.859375000 CEST	192.168.2.7	1.1.1.1	0x8347	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.870076895 CEST	192.168.2.7	1.1.1.1	0x2f33	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.880528927 CEST	192.168.2.7	1.1.1.1	0xd2f3	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.891417980 CEST	192.168.2.7	1.1.1.1	0x64f	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.902806997 CEST	192.168.2.7	1.1.1.1	0x2b39	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.916332006 CEST	192.168.2.7	1.1.1.1	0x50d0	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 12:32:14.831412077 CEST	1.1.1.1	192.168.2.7	0x633b	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.844341993 CEST	1.1.1.1	192.168.2.7	0x311	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.856812954 CEST	1.1.1.1	192.168.2.7	0xe4d1	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.867790937 CEST	1.1.1.1	192.168.2.7	0x8347	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.879208088 CEST	1.1.1.1	192.168.2.7	0x2f33	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.889280081 CEST	1.1.1.1	192.168.2.7	0xd2f3	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.900516033 CEST	1.1.1.1	192.168.2.7	0x64f	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.912005901 CEST	1.1.1.1	192.168.2.7	0x2b39	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 12:32:14.923476934 CEST	1.1.1.1	192.168.2.7	0x50d0	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49713	104.102.49.254	443	7440	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 10:32:15 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 10:32:16 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 10:32:16 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=0b1e54059271a69168a9485f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 10:32:16 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 10:32:16 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	2
Start time:	06:32:11
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa10000
File size:	1'866'240 bytes
MD5 hash:	4906DF588975AA33A2EED7C05A04AD74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.6%
Total number of Nodes:	52
Total number of Limit Nodes:	6

Executed Functions

Function 00A550FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00A55182

Strings

@^, xrefs: 00A55120
<I$), xrefs: 00A552E3
<I$), xrefs: 00A55198

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: eb47943d5365ea9d90ad9e1d08f7bae882421b0ce5cf987199553a69140c6487
Instruction ID: 131fc3ef9d46d97e820ced855c38aaa9db10308aca255b9062ecb1a7191a925c
Opcode Fuzzy Hash: eb47943d5365ea9d90ad9e1d08f7bae882421b0ce5cf987199553a69140c6487
Instruction Fuzzy Hash: 8721DE355083808FC700DFA8D89072ABBF4BB6A300F69482CE1C1D7352D772D91ACB46

Function 00A1FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 00A1FCBE
V, xrefs: 00A1FEDC
J|BJ, xrefs: 00A2000D
VY^_, xrefs: 00A1FDFF

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 013913b87b9480e7b89f0b7d738d47bfb7564f3cc7aee0317aa878de49adb1b9
Instruction ID: c8f1327b164534433e9fbb48155f7b0a6ad3d3d2c80d7be71a41875cbba5b165
Opcode Fuzzy Hash: 013913b87b9480e7b89f0b7d738d47bfb7564f3cc7aee0317aa878de49adb1b9
Instruction Fuzzy Hash: BCD1887450C3A09FD314DF18A590A5FBBF1AB96B44F18892CF4C98B252C336CD4ADB92

Function 00A1D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00A1D2F1

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1f3333e1d0970f10c1fe2061a44ff88d6d990f4198c64b1b9161b7478d14abd2
Instruction ID: a7a5b837247ff4c1a5be580d9480fb215a2f0408246646d56324eea1b098c2f7
Opcode Fuzzy Hash: 1f3333e1d0970f10c1fe2061a44ff88d6d990f4198c64b1b9161b7478d14abd2
Instruction Fuzzy Hash: A041647450D390ABC301BB68D284A6EFBF5AF96704F048C1CE8D49B212C33AD894CB67

Function 00A55BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00A5973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00A55BDE

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00A5695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00A569C5

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e5b18cf72ea6d1cded1ce4d99d9cf3fd1fc8af88c0e17300fd684cf0ee35e786
Instruction ID: cdfbb79694947282c445c7d24d8cac3baec54dc83975f6f9754f9b563198f1f1
Opcode Fuzzy Hash: e5b18cf72ea6d1cded1ce4d99d9cf3fd1fc8af88c0e17300fd684cf0ee35e786
Instruction Fuzzy Hash: F631ADB19083019FD718DF24D4A072BB7F1FF94385F88881CEAC697261E3749908CB56

Function 00A2049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a313a3ea5b82c139967b1e20691f22f0dcf70e9b7e054a73a730bff9c00e58c5
Instruction ID: 336df474bc0e945ed966c39ee5916ec0602b38efd3d8767168a16c33b1351da3
Opcode Fuzzy Hash: a313a3ea5b82c139967b1e20691f22f0dcf70e9b7e054a73a730bff9c00e58c5
Instruction Fuzzy Hash: C891AC75200B00CFD724CF65E894A17B7F6FF89311B158A6DE8568BAA2DB70F816CB50

Function 00A20228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23050a82590b1765152480f91458f09342d36da127c8d9f8dd24d2fcbfb98077
Instruction ID: 3f66d81e70c931cd784240766ec9f981112a1bcf0f9b4f7a70a51f1871e5d6d1
Opcode Fuzzy Hash: 23050a82590b1765152480f91458f09342d36da127c8d9f8dd24d2fcbfb98077
Instruction Fuzzy Hash: 89717974200B00DFD724CF65E894B17BBF6FF49311F148969E8968BAA2DB71A816CB50

Function 00A599D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce80d772014034153fdcd3478701c8d4508eec719d86808e0e4381126a95674f
Instruction ID: 158b3151cb741e9fb0d5c70631aa484cf365b83bc0e58f8c8bfa8380782c210a
Opcode Fuzzy Hash: ce80d772014034153fdcd3478701c8d4508eec719d86808e0e4381126a95674f
Instruction Fuzzy Hash: 7F41A134608300EBEB14DB15D990B2BB7B6FB85752F15882CF9899B251D331E806CB62

Function 00A563B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a64f03a15f7da795a7ff26a35f1eb98c23c5f75501579d5bd4342d18576da75
Instruction ID: 34325f2870353ebcbfbb1c12bc22a1198bf7402b0a3e6513d3f80dc1aff5c695
Opcode Fuzzy Hash: 5a64f03a15f7da795a7ff26a35f1eb98c23c5f75501579d5bd4342d18576da75
Instruction Fuzzy Hash: DA31D570649301BBDA24DB14CE81F3AB7B6FB80B22FA4491CF9C15B2E1D370A855CB52

Function 00A20EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d955e98329433ed2b3f52fb50854c3f278542b08e26c36a2c0e430c6071b72e4
Instruction ID: b433195fe73b41adaff54faa188a591a68e46faa507af6b3a16cec25723a7892
Opcode Fuzzy Hash: d955e98329433ed2b3f52fb50854c3f278542b08e26c36a2c0e430c6071b72e4
Instruction Fuzzy Hash: 8D2139B490022A9FDB15CF98DC90FBEBBB1FB4A304F144818E511BB392C735A901CB64

Function 00A53220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00A532A6

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 09f281a078ef0fedee9ce1f08a7e3accdd10c799b69357c89a43e91498d333fa
Instruction ID: cc3bd70be94339662f30fa44bfdaba8ebecb5fd5d152933f3759a1c56042bcc0
Opcode Fuzzy Hash: 09f281a078ef0fedee9ce1f08a7e3accdd10c799b69357c89a43e91498d333fa
Instruction Fuzzy Hash: 1B018B3490D240ABC700EF58E848A1EBBF8EF9A701F05881CE5C48B361D235DC24CB92

Function 00A53202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00A53208

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 039b8a847432801be7903d8ddb838d6461841bdcdf484abeed84beae2db50d38
Instruction ID: 27e6852453c687670e0f1cdaea26d51347ba1ba98dfd42c677fb8374455268ca
Opcode Fuzzy Hash: 039b8a847432801be7903d8ddb838d6461841bdcdf484abeed84beae2db50d38
Instruction Fuzzy Hash: 9DB012305400005FDA041B00EC0AF003520EB00605F810050E100540B1D1A15865C555

Non-executed Functions

Function 00A2DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00A2E6E6
|, xrefs: 00A2ECB1
WP, xrefs: 00A2DCEF
AR, xrefs: 00A2DD10
xgfe, xrefs: 00A2E71D
:WUE, xrefs: 00A2F6B7, 00A2F6C6
<=:;, xrefs: 00A2E930
QNOL, xrefs: 00A2E775
89>?, xrefs: 00A2E9F6
dcba, xrefs: 00A2E728
%*+(, xrefs: 00A2DE37, 00A2DE46
<=2, xrefs: 00A2EA01
tsrq, xrefs: 00A2E6FC
@ONM, xrefs: 00A2E6DB
tuJK, xrefs: 00A2E967
DCBA, xrefs: 00A2E887, 00A2E896
T, xrefs: 00A2F157
89&', xrefs: 00A2E93B
`Y^_, xrefs: 00A2E99E
D, xrefs: 00A2E846
`onm, xrefs: 00A2E733
mjkh, xrefs: 00A2E7D8
()./, xrefs: 00A2E9CA
lkji, xrefs: 00A2E73E

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: a8fb312591c1b0563af9599559f5aaf0809bed30e370021ca74f956eab88dd47
Instruction ID: 97160830c951c034f133c5b9d2a85b6b5de82833745e4019dd5017a7bd392185
Opcode Fuzzy Hash: a8fb312591c1b0563af9599559f5aaf0809bed30e370021ca74f956eab88dd47
Instruction Fuzzy Hash: 3EF277B15083919FD770CF18D884BABBBE2BFD5344F54482CE8C98B252E7719985CB92

Function 00A423E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

|}&C, xrefs: 00A42F21
ggxz, xrefs: 00A42685
fedc, xrefs: 00A42782
3<, xrefs: 00A432D6
Cx, xrefs: 00A4453D
mlc@, xrefs: 00A4275C
{l`~, xrefs: 00A4268C
`tii, xrefs: 00A42693
:, xrefs: 00A432DD
%*+(, xrefs: 00A440EF
f@~!, xrefs: 00A425FF
aenQ, xrefs: 00A4276A

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 6bda5362997deb015bcbc91a9edd94e6d5749c9f1e3cbd6ea61ffe552b35fb0b
Instruction ID: 930a44554994c9d8d3919f00520531c1dfbaad89c127e41d244e7b72d5de8b1d
Opcode Fuzzy Hash: 6bda5362997deb015bcbc91a9edd94e6d5749c9f1e3cbd6ea61ffe552b35fb0b
Instruction Fuzzy Hash: 9C33CC78504B818FD7258F39C590762BBF1BF96304F58899DE4DA8BB82C735E806CB61

Function 00A39F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

/), xrefs: 00A3A66D
CG, xrefs: 00A3AA32
(a*c, xrefs: 00A3A147
N[, xrefs: 00A3A375
kW, xrefs: 00A3A380
S], xrefs: 00A3A636
?m,o, xrefs: 00A3A13C
sm, xrefs: 00A3A830
WH, xrefs: 00A3AA1C
%e6g, xrefs: 00A3A152
_Y, xrefs: 00A3A641
hi, xrefs: 00A3AB9D
WQ, xrefs: 00A3A62B
]{, xrefs: 00A3A1E7, 00A3A1F3
JG, xrefs: 00A3AA27
=], xrefs: 00A3A36A
Gt, xrefs: 00A39FF8

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 37535298b4214b0c9ca4c24adbe7192f8ce39f618ac6836fb2b3794000409ef8
Instruction ID: 89284d1ad2331a864bef004499c8beb154891db82ff3273878a51f120dd10235
Opcode Fuzzy Hash: 37535298b4214b0c9ca4c24adbe7192f8ce39f618ac6836fb2b3794000409ef8
Instruction Fuzzy Hash: EF52B7B444D385CAE270CF65D681B8EBAF1BB92740F608A1DE1ED9B255DBB08045CF93

Function 00A39510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

,A&C, xrefs: 00A3982E
X/R), xrefs: 00A39AEB
T#a-, xrefs: 00A39AE3
!E4G, xrefs: 00A39836
?M0K, xrefs: 00A39968
O+f), xrefs: 00A39634, 00A3963D
8;, xrefs: 00A39B13
pq, xrefs: 00A399E0
;IJK, xrefs: 00A3983E
L3Y=, xrefs: 00A39B03
B?Q9, xrefs: 00A39B0B
z=Q?, xrefs: 00A39826
2A"_, xrefs: 00A39980
G+X5, xrefs: 00A39AF3
G'M!, xrefs: 00A39ADB
B7U1, xrefs: 00A39AFB

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 4cfef076cc11c0e74560e830d2af8d06f66e276292938bfe2a04bb2b30232ddb
Instruction ID: c76799641697cd8210a24bc67227e4cf49f85969c504ce9cc003d9e53983261b
Opcode Fuzzy Hash: 4cfef076cc11c0e74560e830d2af8d06f66e276292938bfe2a04bb2b30232ddb
Instruction Fuzzy Hash: 60F14FB0408380ABD310DF15D981A2BBBF5FB8AB88F144D1CF5D59B252D3B4D949CBA6

Function 00BDF969 Relevance: 15.3, Strings: 11, Instructions: 1566COMMON

Download Yara Rule

Strings

3C, xrefs: 00BE011E
2w\, xrefs: 00BE0983
nkO, xrefs: 00BDFE7C
IAz, xrefs: 00BDFAFE
S4uK, xrefs: 00BE08BC
@Yo+, xrefs: 00BE00C1
T, xrefs: 00BE0638
El){, xrefs: 00BE0389
t?o|, xrefs: 00BE0BE5
@Yo+, xrefs: 00BE00D0
]$g, xrefs: 00BE04EE

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: 3C$2w\$@Yo+$@Yo+$El){$IAz$S4uK$T$]$g$t?o|$nkO
API String ID: 0-1704212682
Opcode ID: ab395b7fcd28c43c09b34bf0b5b598df2c90e8219e13fb99c644894c3e367fd1
Instruction ID: 961d39dbb0fb889f91ac29abc907a11be51f18bfa0a107c493f7821baf61976e
Opcode Fuzzy Hash: ab395b7fcd28c43c09b34bf0b5b598df2c90e8219e13fb99c644894c3e367fd1
Instruction Fuzzy Hash: 9BB2F6F36082109FE704AE2DEC8567AFBE9EF94720F1A453DEAC4C7744E63598018796

Function 00A3DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

upH}, xrefs: 00A3DE8A, 00A3E798, 00A3DF4A
n\+H, xrefs: 00A3DDC0
)IgK, xrefs: 00A3E261
%*+(, xrefs: 00A3E143
=]+_, xrefs: 00A3E276
-M2O, xrefs: 00A3E25A
,Q?S, xrefs: 00A3E26F
{E, xrefs: 00A3E323
Y9N;, xrefs: 00A3E245
<Y.[, xrefs: 00A3E27D
hX]N, xrefs: 00A3DDC7

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: 260de77b12d45ea727c67482077b5be797ad6ec3ddb8bd00640b9a0769405304
Instruction ID: 30e99bfd2e6250e463303c751945121194c552b09d46556f4244ffbd4a20e4c9
Opcode Fuzzy Hash: 260de77b12d45ea727c67482077b5be797ad6ec3ddb8bd00640b9a0769405304
Instruction Fuzzy Hash: 0D92E475E00205CFDB14CFA8D8917AEBBB2FF49310F298168E456AB391D775AD42CB90

Function 00BE48EA Relevance: 14.1, Strings: 10, Instructions: 1617COMMON

Download Yara Rule

Strings

hzs?, xrefs: 00BE4D39
\@~}, xrefs: 00BE4B30
+:P, xrefs: 00BE51C0
\@~}, xrefs: 00BE4B24
^~>s, xrefs: 00BE5862
|J, xrefs: 00BE4CF1
R>'f, xrefs: 00BE4A4F
t>w3, xrefs: 00BE533E
^~>s, xrefs: 00BE587C
![6, xrefs: 00BE4CDC

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: ![6$+:P$R>'f$\@~}$\@~}$^~>s$^~>s$hzs?$t>w3$|J
API String ID: 0-538041392
Opcode ID: 022601a19179a5b8d3e4aa69cfeac886ccebc3bb3a1ee74678dbfe20f3385a59
Instruction ID: 05b258dd0bed7f6174e4fba132298da0586d3d7bae34ed69f06a889892639632
Opcode Fuzzy Hash: 022601a19179a5b8d3e4aa69cfeac886ccebc3bb3a1ee74678dbfe20f3385a59
Instruction Fuzzy Hash: 2FB216F3A0C2049FE7046E19EC8567AFBE9EF94720F1A493DEAC483740EA7558058797

Function 00BD5662 Relevance: 11.7, Strings: 8, Instructions: 1694COMMON

Download Yara Rule

Strings

2W7w, xrefs: 00BD66E3
A1W], xrefs: 00BD62BF
%q'~, xrefs: 00BD5C2B
oJj_, xrefs: 00BD56A1
_v?, xrefs: 00BD61A3
WW\, xrefs: 00BD5717
#Dk, xrefs: 00BD666A
W}-|, xrefs: 00BD5A98

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: #Dk$%q'~$2W7w$A1W]$W}-|$WW\$_v?$oJj_
API String ID: 0-1841457848
Opcode ID: 2789cbe95a56d4399b00314c2b0b7da13ba919c3cace6495b7e99606b0cb3898
Instruction ID: 51a1184796f6dc0a613774a3f1df74c431a566154853cc88ce6b60134ab3d9f6
Opcode Fuzzy Hash: 2789cbe95a56d4399b00314c2b0b7da13ba919c3cace6495b7e99606b0cb3898
Instruction Fuzzy Hash: 26B25DF3A0C2105FE308AE2DEC8567AB7D9EFD4320F1A853DEAC4D7744E93558058696

Function 00A3098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

&> &, xrefs: 00A30F89
%*+(, xrefs: 00A30A77, 00A30A86
qrqp, xrefs: 00A31089
9.5^, xrefs: 00A30F9F
gce/, xrefs: 00A31073
{, xrefs: 00A31502
cah`, xrefs: 00A3107E
,#15, xrefs: 00A30F94

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 254868468d81cea6a78bf2567ec3feab2eea45e4a249d1f02e05b7ef01de8555
Instruction ID: 75b52f9e3e3c19f04ac16bcf385392c30e69c9dc3ed1d6b2c14470b8546453f7
Opcode Fuzzy Hash: 254868468d81cea6a78bf2567ec3feab2eea45e4a249d1f02e05b7ef01de8555
Instruction Fuzzy Hash: 5E6296B16083818BD730CF14D891BABBBE1FF96354F084D2DE49A8B681E3759985CB53

Function 00A11000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 00A1157D, 00A115EB
gfff, xrefs: 00A12297
-, xrefs: 00A121ED
0123456789abcdefxp, xrefs: 00A11587, 00A115F8
@, xrefs: 00A12C40
gfff, xrefs: 00A12226
gfff, xrefs: 00A122E1

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 5a4389a778dfac737b54a62bb2e61c2006f6a2b97d309ea515d8729181098956
Instruction ID: ba516e97283ad668373ec1c64156886364803a0c81f8f3ad443f49600ca92529
Opcode Fuzzy Hash: 5a4389a778dfac737b54a62bb2e61c2006f6a2b97d309ea515d8729181098956
Instruction Fuzzy Hash: 07D2F6716083518FD718CF29C4943AABBE2AFD9314F188A2DE599CB391D734DD85CB82

Function 00BE7DEF Relevance: 10.3, Strings: 7, Instructions: 1572COMMON

Download Yara Rule

Strings

<%=, xrefs: 00BE8826
<%=, xrefs: 00BE8809
\_!, xrefs: 00BE8CAC
_51, xrefs: 00BE88D9
b[kg, xrefs: 00BE8837
D:W7, xrefs: 00BE7FA0
,1, xrefs: 00BE8456

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: ,1$<%=$<%=$D:W7$\_!$b[kg$_51
API String ID: 0-1435805542
Opcode ID: e3728244c0b9faa0dea794adc8f7d3516de53e325981caa5b23ca05090616762
Instruction ID: bc90a2eb3a8f1fa54a5402ebe0aa87f8faa588ff88d99cf05a4fd18b7458cf40
Opcode Fuzzy Hash: e3728244c0b9faa0dea794adc8f7d3516de53e325981caa5b23ca05090616762
Instruction Fuzzy Hash: AAB2F6F360C2009FE7046E2DEC8567ABBE6EF94320F1A893DE6C5C7744EA3558058697

Function 00BD8D6B Relevance: 7.9, Strings: 5, Instructions: 1638COMMON

Download Yara Rule

Strings

w, xrefs: 00BD8F94
Z|?f, xrefs: 00BDA14A
8g~k, xrefs: 00BD8E64
C3G3, xrefs: 00BD98A5
r@Yw, xrefs: 00BD99B1

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: 8g~k$C3G3$Z|?f$r@Yw$w
API String ID: 0-2057513449
Opcode ID: 9904a33d5f6277fddb9d28b037433adb0c981509cfca9a71c98c9cc5e3566032
Instruction ID: 7b471e0d745b5b4db45092aae026a4d7d6c0c6c156b6517e215905e0688282cc
Opcode Fuzzy Hash: 9904a33d5f6277fddb9d28b037433adb0c981509cfca9a71c98c9cc5e3566032
Instruction Fuzzy Hash: 2FB239F360C2009FE3046E2DEC8567ABBE9EF94720F1A493DEAC5C7744EA3558058697

Function 00BDDF04 Relevance: 7.9, Strings: 5, Instructions: 1609COMMON

Download Yara Rule

Strings

M^, xrefs: 00BDE15A
4yr, xrefs: 00BDEF4A
R{, xrefs: 00BDE560
B"z, xrefs: 00BDED55
)Y1;, xrefs: 00BDE4AB

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: )Y1;$4yr$B"z$R{$M^
API String ID: 0-560367046
Opcode ID: 3e4602366a1436c6e02464152835d75c0eadaa0e5cdba10cb536ee90d06934c4
Instruction ID: e4404ddf3754743ef61c5ba110e00e30fb5392478ef7609f6cc4f0b4c9250c17
Opcode Fuzzy Hash: 3e4602366a1436c6e02464152835d75c0eadaa0e5cdba10cb536ee90d06934c4
Instruction Fuzzy Hash: F3B25CF3A08204AFE3046E2DDC4567AFBE9EFD4720F1A453DEAC5C3744EA3598058696

Function 00BE64C5 Relevance: 7.8, Strings: 5, Instructions: 1524COMMON

Download Yara Rule

Strings

`;OG, xrefs: 00BE65C1
%~[, xrefs: 00BE73F6
3a~-, xrefs: 00BE6F6F
'*`, xrefs: 00BE7072
=jXe, xrefs: 00BE6DEF

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %~[$'*`$3a~-$=jXe$`;OG
API String ID: 0-9823096
Opcode ID: e5fa1f596acdb623e6c50c343a66972b802e5336f4f29b39b740424c9da202aa
Instruction ID: 5cc81e282bee070feab6c05590bd9634ea6288088feb3bd4726c29aa8d5752e3
Opcode Fuzzy Hash: e5fa1f596acdb623e6c50c343a66972b802e5336f4f29b39b740424c9da202aa
Instruction Fuzzy Hash: 4DA227F36082009FE3046E2DEC8567ABBE9EFD4720F1A493DE6C4C3744EA3598458697

Function 00A112F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 00A11DC1
i, xrefs: 00A128EA
0, xrefs: 00A11E88
@, xrefs: 00A13531
0, xrefs: 00A1243E

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: e87cab4f64abd31492424bb652421d53c2d534fb3d94b78c310f59d57025aef5
Instruction ID: 1b413c27be80a936336282e075078a02d59d61645a6390a0dcfe0d779e1647d5
Opcode Fuzzy Hash: e87cab4f64abd31492424bb652421d53c2d534fb3d94b78c310f59d57025aef5
Instruction Fuzzy Hash: A362D27160C3818FD719CF28C4907AABBE1AFD5354F188A2DE8D987291D774DD89CB82

Function 00A1164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

+, xrefs: 00A11573
0123456789ABCDEFXP, xrefs: 00A1164F
0123456789abcdefxp, xrefs: 00A11659
gfff, xrefs: 00A11F57
gfff, xrefs: 00A11F3C

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: ec5e1c987ad632ad407de9e9a9783c3ee026e4376aedebd25e5ec680d75337b0
Instruction ID: 79f7032550ee5f90c270b36fad8fbc74da67be455a2c6f0d8cba3d12dc0024a0
Opcode Fuzzy Hash: ec5e1c987ad632ad407de9e9a9783c3ee026e4376aedebd25e5ec680d75337b0
Instruction Fuzzy Hash: 63F19F7160C3918FC715CF29C4843AAFBE2ABD9304F188A6DE4D987356D734D989CB92

Function 00A113A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

-, xrefs: 00A11F23
0123456789ABCDEFXP, xrefs: 00A113A3
0123456789abcdefxp, xrefs: 00A113AD
gfff, xrefs: 00A11F57
gfff, xrefs: 00A11F3C

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: ee2d1c62119ae661fa0a933629409b51e2b91b0ffe72b369a73764f7ca3cf467
Instruction ID: c62eeef1204511db2c0041076cb4ceb0c37c84fb727ae0637d9172ba93e61058
Opcode Fuzzy Hash: ee2d1c62119ae661fa0a933629409b51e2b91b0ffe72b369a73764f7ca3cf467
Instruction Fuzzy Hash: 8AD18F7560C7818FC719CF29C4842AAFBE2AFD9304F08CA6DE4D987356D634D989CB52

Function 00A3FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 00A3FE95
m1s3, xrefs: 00A3FEC3, 00A3FECB
:, xrefs: 00A40087
NA_I, xrefs: 00A4036D

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 2bab71156306d32a478ec66ed1038e53fc5e900ff6a25b43ed01c573c76328ba
Instruction ID: 1503e5c7b560401b7a99b4a915785cc0937781a239932d8e10c186fb20d3aa1b
Opcode Fuzzy Hash: 2bab71156306d32a478ec66ed1038e53fc5e900ff6a25b43ed01c573c76328ba
Instruction Fuzzy Hash: 3932B9B4908380DFD311DF69D880A2BBBF1AB99350F184E2CF6D58B2A2D375D905DB52

Function 00BDA884 Relevance: 5.5, Strings: 3, Instructions: 1702COMMON

Download Yara Rule

Strings

E>^, xrefs: 00BDAF4A
8w7, xrefs: 00BDBCDC
^G6/, xrefs: 00BDB5BA

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: E>^$^G6/$8w7
API String ID: 0-3028531410
Opcode ID: 4b4dc8bd3b9be38db2fae255d2955e5a31cd113b9509fc2d6b42d9dd2ecd8d04
Instruction ID: e1797c31bc6dd1d9c531c27e2686bc2dd18d99ff6489707dbf8cbc137911f54c
Opcode Fuzzy Hash: 4b4dc8bd3b9be38db2fae255d2955e5a31cd113b9509fc2d6b42d9dd2ecd8d04
Instruction Fuzzy Hash: 01B23BF3A0C2049FE3086E2DEC8567ABBDAEFD4720F1A453DE6C5C7744EA3558018696

Function 00A23BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

ss, xrefs: 00A23C79
p, xrefs: 00A23C80
%*+(, xrefs: 00A23EC4
;z, xrefs: 00A23C87

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 67d3b09d64915ecb0ee04f0dbd9195c395e59776efa06e8c7357e7f6705321a9
Instruction ID: 39dec0ade1e1dd80fc95ac1caa58f964ca8f463c5bc910e699b57004bba69d64
Opcode Fuzzy Hash: 67d3b09d64915ecb0ee04f0dbd9195c395e59776efa06e8c7357e7f6705321a9
Instruction Fuzzy Hash: A5027CB4810B00EFD760DF28DA86756BFF5FB06301F50895CE89A8B645E334A419CFA2

Function 00BD2042 Relevance: 5.4, Strings: 3, Instructions: 1660COMMON

Download Yara Rule

Strings

BW_, xrefs: 00BD28F0
-v7P, xrefs: 00BD2107
J2+g, xrefs: 00BD2BCE

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: -v7P$BW_$J2+g
API String ID: 0-3416289072
Opcode ID: bb56f0756a035aa85003661d422a512c2194026bd4619bf77bc5f8af2221a9a9
Instruction ID: 8d0e6a280c0447f129e7d53a880a99f5a57eb0bb15cd7e9d07aed4aec8ca7349
Opcode Fuzzy Hash: bb56f0756a035aa85003661d422a512c2194026bd4619bf77bc5f8af2221a9a9
Instruction Fuzzy Hash: 8AB22BF360C2049FE304AE2DEC8567ABBE9EFD4760F1A863DE6C4C3744E53558058696

Function 00A32260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

sj, xrefs: 00A32327
lc, xrefs: 00A32507
hu, xrefs: 00A3232F
a|, xrefs: 00A32317

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 2185944b087b688ad9e42c4822d0410664a73841be3466328d780d020b0b993c
Instruction ID: d7cb799adc19249b9e38606862a0cd33b6654335ce81b4127f69bc42b934ace0
Opcode Fuzzy Hash: 2185944b087b688ad9e42c4822d0410664a73841be3466328d780d020b0b993c
Instruction Fuzzy Hash: 2CA147744083418BC7209F18C891B2BB7F0FF96754F589A0CF8D99B291E339D945CB96

Function 00BE1308 Relevance: 5.3, Strings: 3, Instructions: 1597COMMON

Download Yara Rule

Strings

{ , xrefs: 00BE1800
EG{, xrefs: 00BE1946
]%W5, xrefs: 00BE1554

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: EG{$]%W5${
API String ID: 0-1494478448
Opcode ID: 92c6d4bb68303dc19d6375c50445106e97de2c6a238c010a73894785a2add567
Instruction ID: 2ff6ed43b1b01d07e4e621fe87f1bdd2c0f358a135aef40a178fe6bf736fd5cb
Opcode Fuzzy Hash: 92c6d4bb68303dc19d6375c50445106e97de2c6a238c010a73894785a2add567
Instruction Fuzzy Hash: C8B214F360C2049FE3046E2DEC8567AFBE9EFD4320F1A893DE6C487744EA7558058696

Function 00BDC4C7 Relevance: 5.3, Strings: 3, Instructions: 1567COMMON

Download Yara Rule

Strings

`ej{, xrefs: 00BDCC9D
.Y, xrefs: 00BDCC47
AE~w, xrefs: 00BDC66E

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: AE~w$`ej{$.Y
API String ID: 0-2192609878
Opcode ID: dd7865758a6d1ed7f2679f939a472a03c264c95f7518e5fde5fb5146de9c4ae0
Instruction ID: 327cd0e7888ad56db1bbe41108c975a4811a0645f82ea9962af1c3c190f7d4cb
Opcode Fuzzy Hash: dd7865758a6d1ed7f2679f939a472a03c264c95f7518e5fde5fb5146de9c4ae0
Instruction Fuzzy Hash: 1AB205F3A08204AFD3046E2DEC8566AFBE9EF94720F1A493DE6C4C7744E63598058797

Function 00A3D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 00A3D9EA
KV, xrefs: 00A3D97D
T>, xrefs: 00A3D984
CV, xrefs: 00A3D98B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 4566638056d2aa34cc84406868c81444d72e02a1c5e734a4beca3ee574633184
Instruction ID: 579cda7cf12e1bff21abfeb7ee7b4b4fc4cc89576604bbfbd4406e9712a907c7
Opcode Fuzzy Hash: 4566638056d2aa34cc84406868c81444d72e02a1c5e734a4beca3ee574633184
Instruction Fuzzy Hash: 3B8145B4801745DBDB20DFA5D28556EBFB1FF12300F60560CE886ABA55C330AA65CFE2

Function 00A3AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

(g6e, xrefs: 00A3ACA1
,{*y, xrefs: 00A3AD07, 00A3AD13
4c2a, xrefs: 00A3ACA9
lk, xrefs: 00A3ACBC

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 381fdbf66f0d9e626cadf3cd9b987b151180e168cd037141429ed9053722538a
Instruction ID: 3cc88ba3716ff07b646e74ee2c7d3e248acba6e335f51377f52781599bba8d76
Opcode Fuzzy Hash: 381fdbf66f0d9e626cadf3cd9b987b151180e168cd037141429ed9053722538a
Instruction Fuzzy Hash: 074162B4408381CADB209F20D900BABBBF4FF86345F54995DE5C897260EB71D945CB96

Function 00A3C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 00A3C537
%*+(, xrefs: 00A3C8C3, 00A3C8CB
%*+(, xrefs: 00A3C9E4, 00A3C9ED

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 87164da00fc27122ea9ffba6c3d6c619c7526b10d2ab96d5cbae0c55dc892e49
Instruction ID: 685cf86883a281e120d6d561cae0cdabccc656ba272fe9dcec31f214c8bc1f62
Opcode Fuzzy Hash: 87164da00fc27122ea9ffba6c3d6c619c7526b10d2ab96d5cbae0c55dc892e49
Instruction Fuzzy Hash: 1DE185B9918340DFE320DF64D881B1ABBF5FB85354F48882CF6899B261E771D815CB92

Function 00A18590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 00A189F0
), xrefs: 00A1860C
), xrefs: 00A18616

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 3f1cad3c28bf99721b457985226aa0e4aba9461a4d0cb2f159d0a905f29d187c
Instruction ID: 1ed44a450687469790eb1b611a4bb066af6bc33fbfdddadc1b49b839d551101b
Opcode Fuzzy Hash: 3f1cad3c28bf99721b457985226aa0e4aba9461a4d0cb2f159d0a905f29d187c
Instruction Fuzzy Hash: 27E1D2B1A087019FE310CF28C8817AABBE1BF94354F144A2DF99597381DB79E955CBC2

Function 00A54040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

f, xrefs: 00A5420C
%*+(, xrefs: 00A540A4, 00A540AD

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 7b4af9ab0359feb3af452899bf6d357d343c8ad5857648cd7db0c2883b2b3643
Instruction ID: 54b52a1ddac7dda95ad54851b9e48738362ea7919772742730ec8e612a23dc9e
Opcode Fuzzy Hash: 7b4af9ab0359feb3af452899bf6d357d343c8ad5857648cd7db0c2883b2b3643
Instruction Fuzzy Hash: 5B12AF715083419FC715CF28C890B2EBBF1FB89319F188A2CF8959B291D775D989CB92

Function 00A4F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 00A4F6E6
dg, xrefs: 00A4F7F5

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: e1a708ed0b92f63cfefdd020c2df82ffc75ea206815ce87b8dbbb15ba31a32eb
Instruction ID: 3c0113e9d397856940506489ff7d621904adf4d5a59989050851c8c0438083b9
Opcode Fuzzy Hash: e1a708ed0b92f63cfefdd020c2df82ffc75ea206815ce87b8dbbb15ba31a32eb
Instruction Fuzzy Hash: F9F18175618341EFE704CF24D891B2ABBF6EBC6345F24992CF4858B2A2C779D845CB12

Function 00A135B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 00A1360E
Inf, xrefs: 00A13607

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: f489f53537d84aee2d589c69e0a5dc59895bae736a498efe5e2280a737d32970
Instruction ID: be6053fb634e3a661a6cac3778af6c4635b60e30bde91d5d9d4cd0f7ea39a93b
Opcode Fuzzy Hash: f489f53537d84aee2d589c69e0a5dc59895bae736a498efe5e2280a737d32970
Instruction Fuzzy Hash: FED1E472A183119BCB04CF29C98065FBBE5FFC8750F148A2DF999973A0E671DD458B82

Function 00A2FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00A30197
Ye[g, xrefs: 00A300F6

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 68717a3c5e41d01b53a00f2a18fccdc9e134bb2cfdc5379cc6ed64053001a339
Instruction ID: 74add56a16d9e03a5e2b1fabbff38a77f160ef94f9b6755f6bbb1e4bf3ecf9b5
Opcode Fuzzy Hash: 68717a3c5e41d01b53a00f2a18fccdc9e134bb2cfdc5379cc6ed64053001a339
Instruction Fuzzy Hash: 7651AAB16083818BD735CF18C891BABB7E0FF96360F19491DE4DA8B651E3749980CB57

Function 00A15160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00A154C8

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: b1549ba2b5054400cba88d03b5383dac3c6e0e220d77f4ad6fa8978d95706ded
Instruction ID: 29a34f8b69ec279585b764340ab25376e028084c118436cb44f76f1002f0028c
Opcode Fuzzy Hash: b1549ba2b5054400cba88d03b5383dac3c6e0e220d77f4ad6fa8978d95706ded
Instruction Fuzzy Hash: A122B0B6E08B42CBE7158F38C5403A6BBA3AFE1354F1D896DD8994B281E771DC85C781

Function 00A412D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00A415D1

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 8ef1970b1abfebbbe35e0383364e182da35ba8d5644eb4f0c1efb5f134e33f9b
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 2FF13879A083414FC725CF24C49066BBBE6AFC5354F1CC96DE89A8B382E634DD85C792

Function 00A3AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A3B2D3, 00A3B2DB

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 4c3824b8260272e0b4a66faee8d2c6c5e6a97956263c6304dacb21199901fd26
Instruction ID: 1b77a16b973f94f1818bd578878e17aa9385ae5ab061dd646c27ea4d5ffa470a
Opcode Fuzzy Hash: 4c3824b8260272e0b4a66faee8d2c6c5e6a97956263c6304dacb21199901fd26
Instruction Fuzzy Hash: D8E1B871518306CBC724DF28C8905ABB7F2FF98791F598A1CE5C58B220E331E959DB92

Function 00A26EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A26EF3

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7ec62fa8b4f47eab99a7c76a175e41ab1186c5c95f4996429974a1ffd4b06dae
Instruction ID: 97a72786af16b44f9e22b5950674a0dfe390491060f343f4e193f0069660c83d
Opcode Fuzzy Hash: 7ec62fa8b4f47eab99a7c76a175e41ab1186c5c95f4996429974a1ffd4b06dae
Instruction Fuzzy Hash: F3F18EB5A01B118FC725DF28E981A26B3F6FF48315B148A3DE49787A91EB30F855CB41

Function 00A37E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A38263, 00A3826B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 738964d636311712aaa62e58f14620b4f531d864f13c03fabcb8fdb64b2e26f8
Instruction ID: a7d594ffcdb6d2edeb0bd627ddb28cfd7f88992b263ea6df21e6ff59880b6bd4
Opcode Fuzzy Hash: 738964d636311712aaa62e58f14620b4f531d864f13c03fabcb8fdb64b2e26f8
Instruction Fuzzy Hash: 0EC1C0B1908300ABD721EB14C982A2FB7F5EF96754F18491CF8C58B251E738ED15CBA2

Function 00A38D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A39233, 00A3923B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 2d522519db6d0c58fedbb6c2d8b4a67b98e17fa4834016da7e875d22bb9a37f4
Instruction ID: f4558a128848ca1c5825a625d742ba43baac8ddf660577774f10abc9e16e0cee
Opcode Fuzzy Hash: 2d522519db6d0c58fedbb6c2d8b4a67b98e17fa4834016da7e875d22bb9a37f4
Instruction Fuzzy Hash: 6DD19770618302DFD708DFA8D890A2BB7F5FB89305F09896CF88687291D7B4E991CB51

Function 00A57FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00A58167

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 14c17cf4208266742777c91e5d81d722d8c347e3dc23825e875cf370e6ca7657
Instruction ID: 2a7733a72b5a172d6bf3ce6d3de5a0de002f6afa9a7dbfa656e87d59b7946102
Opcode Fuzzy Hash: 14c17cf4208266742777c91e5d81d722d8c347e3dc23825e875cf370e6ca7657
Instruction Fuzzy Hash: 59D1D3729082618FC725CE18989072EB7E1FB85759F158A2CECB5AB380DB75DC4AC7C1

Function 00A3CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A3CDC3, 00A3CDCB

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: fec094ee89b70fde10c82668ccd65aa1a9ddfbc480bf45f68402adaaaa7dc1d7
Instruction ID: fb26163e06bb49e12f9a484903aeeac69e47700cc4c1900e5111c4ed4b54c005
Opcode Fuzzy Hash: fec094ee89b70fde10c82668ccd65aa1a9ddfbc480bf45f68402adaaaa7dc1d7
Instruction Fuzzy Hash: 55B1E070A083019BD714DF68E880B2BBBF2EF86760F14492CF5C5AB251E335E955CB92

Function 00A1A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00A1A9C3

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 1c3851da3e5655c1d4cb897a1639f7766e1b5dc29290ee2ae65bff7071828774
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: ECB1287020D3819FD325CF28C88065BBBE1AFA9704F448A2DF5D997342D671EA58CB57

Function 00A4FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A4FCA4, 00A4FCAD

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: c3599139837fb06aa38ebb36f3cae818b5eea17271a12ae960ecc38f11b079d7
Instruction ID: c93adb6423644ed633efc3d45268254a31f4fde10107fe41860292f3c433ed29
Opcode Fuzzy Hash: c3599139837fb06aa38ebb36f3cae818b5eea17271a12ae960ecc38f11b079d7
Instruction Fuzzy Hash: 9281CA75908200EFD710DFA8D985B2AB7F5FB89746F04882CF58587291E770E819CB62

Function 00A2D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A2D663, 00A2D66B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7675c1513d6ee5eb9fd80940c9021b70128d58acf2f59a3c01ce7d22ebe17f32
Instruction ID: d35f66e2062fac3517dadfe1845ddfeb86cd9915a037e067941cac48979e9b69
Opcode Fuzzy Hash: 7675c1513d6ee5eb9fd80940c9021b70128d58acf2f59a3c01ce7d22ebe17f32
Instruction Fuzzy Hash: 8F61F1B1908310DBD710EF58EC82A2BB3B1FF95354F18092CF9858B292E7B5E955C792

Function 00A54A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A54C33, 00A54C3B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 27eb4c82565b9f29269da76a110b2430a7d74f38a52797984f1ab05f31b0199e
Instruction ID: 9cc15611e26e9d8cf5b257870990cf06d7458eb718ba4ffd9d3bdeef088fee0a
Opcode Fuzzy Hash: 27eb4c82565b9f29269da76a110b2430a7d74f38a52797984f1ab05f31b0199e
Instruction Fuzzy Hash: 3A61E371A083019BD710DF65D880B2ABBE6FBC831AF19891CEDC987291D771EC99CB51

Function 00B7C47D Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

K-=[, xrefs: 00B7C66C

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: K-=[
API String ID: 0-3415545169
Opcode ID: ab94097e32bc0bf6162ab4cd2ee53c6dbd95cf277db8a3a849d6354b0623813a
Instruction ID: 2f72d09d4fb93ab8aae2dd9a71d2aeacbd86da0d6c2b32c8f6763f55a94b4b79
Opcode Fuzzy Hash: ab94097e32bc0bf6162ab4cd2ee53c6dbd95cf277db8a3a849d6354b0623813a
Instruction Fuzzy Hash: 4B5167B3E082245BE314293DDD4976ABFE9DB90360F17423DDF84A7B84E9395D0486C9

Function 00A1E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00A1E333

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 4c0d69194c513b09484550dcb5b59d3aa32803119591d3968f17213d2f2faa99
Instruction ID: 1361ca8b50ce811c23cba48c05130dc868c990a66082f9395f72c9e6d8fc371b
Opcode Fuzzy Hash: 4c0d69194c513b09484550dcb5b59d3aa32803119591d3968f17213d2f2faa99
Instruction Fuzzy Hash: BC513737A196E04BD728C97C4C652E96AD71FA6334B3DC369EDF18B3E4E52548818390

Function 00A53920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A539E3, 00A539EB

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7fbf9b2615a4fcb1e5d6c65f3da39767839a18823db2be09a4e164a2ff02153e
Instruction ID: 09dec2bf57f2a8229206be5ea618c7bd7af63936ba540b0b36ce374fff634e93
Opcode Fuzzy Hash: 7fbf9b2615a4fcb1e5d6c65f3da39767839a18823db2be09a4e164a2ff02153e
Instruction Fuzzy Hash: 4351AD76609200DBCB24DF55D990A2EBBF5FBC5386F18881CE9C687251D372DD18CB62

Function 00A21BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00A21C3E

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: d6577101ef5d81b56995272d9768dea78b912b2518fba7dfa2566853ce0b528c
Instruction ID: 2ffe26ad5f95e9a931e59298d1c21255ef753f687ba130fe101573c5f3112731
Opcode Fuzzy Hash: d6577101ef5d81b56995272d9768dea78b912b2518fba7dfa2566853ce0b528c
Instruction Fuzzy Hash: CF4174B80083909BC7149F58D894A2FBBF0FF9A314F04892CF5C59B291D736C915CB56

Function 00A4FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A50033, 00A5003B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 234ca264d13c16d3a07fcbb62cf0843777f171b3c340798099a7ac0850ea1f2c
Instruction ID: 503cf45f7991e5d1cfb9f87364b031c2df4a656631c07de2da8f8e1e55013178
Opcode Fuzzy Hash: 234ca264d13c16d3a07fcbb62cf0843777f171b3c340798099a7ac0850ea1f2c
Instruction Fuzzy Hash: 8F31E3B1A08311ABD610EB64DC81F2BB7E9FB85746F544828FC8587292E231DC18C7A3

Function 00A3E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00A3E6A2

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 17981b9110332f838eb25099e471138702b51b620fbbeac0f139115b8cba451c
Instruction ID: 46eca28a7d7af7542c1adf8e4a4715dffa34da17c7382eba3f58bef862fa5268
Opcode Fuzzy Hash: 17981b9110332f838eb25099e471138702b51b620fbbeac0f139115b8cba451c
Instruction Fuzzy Hash: 2D31E4B6A00205CFCB20CF95E9805AFBBB5FF4A745F18082CE446A7341C335AD45CBA2

Function 00A26F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00A2703B

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: ba12e8ec3e7fe48840b74c870266e78b2b36ce6366d343fa8630d2a404556b8a
Instruction ID: df16c333bf991bea554c2940aad6ea787eacc35fd7c5814c35f4d4cc63789991
Opcode Fuzzy Hash: ba12e8ec3e7fe48840b74c870266e78b2b36ce6366d343fa8630d2a404556b8a
Instruction Fuzzy Hash: 52416C71609B14DBD734CF69EA94F26B7F2FB09701F14882CE58697AA1E371F8048B10

Function 00A3E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00A3E6A2

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 16aa133343de23f5cc1e7582374a051983c8995827d4e736a5b639f9882b1166
Instruction ID: 2375265632e231c96c0cee67719d6168559baa374aee1ba0e6dcf9cfe32fd8e2
Opcode Fuzzy Hash: 16aa133343de23f5cc1e7582374a051983c8995827d4e736a5b639f9882b1166
Instruction Fuzzy Hash: C121B0B6A00305CFC720CF95D990AAFBBB5BF1A745F18081CE446AB381C335AD41CBA2

Function 00A59CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00A59D30

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 063cd8956ee5d7e9ff9ca96fd88fa0fa1a2e338c5c5e703bcaead67c87801474
Instruction ID: ce81128c8cd1df3ee202098e2833861e5eb78788bffe428d2fc58e9fd2dbae60
Opcode Fuzzy Hash: 063cd8956ee5d7e9ff9ca96fd88fa0fa1a2e338c5c5e703bcaead67c87801474
Instruction Fuzzy Hash: E43146719093009BD314DF25D980A2BFBF9FF9A315F14892CE9C49B251E375D908CBA6

Function 00A24E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960a180568e32213e6f9f903cf4e5420a9408cfacf22c7ebd31e92de9a4dd1b5
Instruction ID: e6d8a8636763bd50a299d21b92d6809e28f5d0c7c679b23c082812cb5b3dfe49
Opcode Fuzzy Hash: 960a180568e32213e6f9f903cf4e5420a9408cfacf22c7ebd31e92de9a4dd1b5
Instruction Fuzzy Hash: 436258B0A00B109FD725CF28E990B27B7F6BF59714F54892CD49A8BA52E734F844CB90

Function 00A1BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 87cf8115238fb7f6af828f641a5ac417991fadf253160e1381be76750aace672
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 9C520B316487218BC725DF18D4802FAF3E1FFD5329F294A2DD9D697290E734A891CB86

Function 00A58652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccee2bc36b73fc9039a9cb9cc74e8ba79f81d61b7263260650a52fee195de2d
Instruction ID: 5d4505077d79ba5000750a1a2e008476e1af2b116079ec51e657a168d112c29e
Opcode Fuzzy Hash: 0ccee2bc36b73fc9039a9cb9cc74e8ba79f81d61b7263260650a52fee195de2d
Instruction Fuzzy Hash: 6322CA35608340CFC704DFA8E89062ABBF1FF8A316F19896DE98987351D775E895CB42

Function 00A586F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe950431acf8696dd16b24bcfd68c2ef4929211a2c79098664ee7a76497aa29
Instruction ID: 7a9dbcbe7fba6424fed5a843b82054250d37e738f1537d6ed0cf0f9d53be98dc
Opcode Fuzzy Hash: ebe950431acf8696dd16b24bcfd68c2ef4929211a2c79098664ee7a76497aa29
Instruction Fuzzy Hash: B722A935608340DFC704DFA8E89062EBBF1FB8A306F19896DE98987361D775E855CB42

Function 00A1B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a773e6d5f4534f2f7668c6f3e5087a95416c2d2556bc3385bc0c687ab59cc81
Instruction ID: b38187b8762929a1f9220cd9b9f29704038f3f726090dd186ba27c1a9de30d18
Opcode Fuzzy Hash: 5a773e6d5f4534f2f7668c6f3e5087a95416c2d2556bc3385bc0c687ab59cc81
Instruction Fuzzy Hash: ED52AF70A18B888FE735CB24C5847E7BBE2AF95314F144C2DC5E646AC2C779A8C5CB61

Function 00A171F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8317a92e5ca8954994231a5dab3b18f5635cc4c1d30193914c3e5bc0f2a12b
Instruction ID: 59feaf802c3bafb80b13f33f5e230ab1654fd670ad075529880b7e5b3cec9f85
Opcode Fuzzy Hash: 8d8317a92e5ca8954994231a5dab3b18f5635cc4c1d30193914c3e5bc0f2a12b
Instruction Fuzzy Hash: 18529D3150C3458FCB15CF29C0906EEBBF2BF88314F199A6DE89A5B251D774E989CB81

Function 00A18FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380ce794b6ea78aff87dddf2780f021574c9e9605779145c38cea316c07805a3
Instruction ID: e1d4bd3fe7d459e9828f7b95b5fa0d0ecd7857e1827220619ea4fdb7db2a2e5c
Opcode Fuzzy Hash: 380ce794b6ea78aff87dddf2780f021574c9e9605779145c38cea316c07805a3
Instruction Fuzzy Hash: 6E423675608341DFD708CF28D86079ABBF1BB88355F19886DE4858B3A1D736DA86CF42

Function 00A17BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467447cfe4302f403084ae6afc028baebb42db0ef7889100c4e73c1c199e13a9
Instruction ID: 36a4daeed75b0f6a968748640a52462d4c3544560b37e4a7e01c4f6e37a08ce8
Opcode Fuzzy Hash: 467447cfe4302f403084ae6afc028baebb42db0ef7889100c4e73c1c199e13a9
Instruction Fuzzy Hash: 16322370518B118FC368CF29C5905AABBF2BF45710B645A2ED6A787F90D736F885CB10

Function 00A589A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6064d744847e5531dba56017bdfe274864cd4df4f22ad8dae058cd9886e9859e
Instruction ID: c551e4ec767edece604de21c2345eb96fc70dde518da1bb99485a6e13e6c51cf
Opcode Fuzzy Hash: 6064d744847e5531dba56017bdfe274864cd4df4f22ad8dae058cd9886e9859e
Instruction Fuzzy Hash: 1D02A835608340DFC704DFA8E89061EBBF5FB8A306F19896DE98987361D336D855CB92

Function 00A58A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128880d66cb28256b6d0ade0ebf91ab309a5147739de4c00c8a3afb59f85f549
Instruction ID: 78310450cda909eb349b1d8c6d7596414de3accf93f28a34c4d8d8e13d5e401c
Opcode Fuzzy Hash: 128880d66cb28256b6d0ade0ebf91ab309a5147739de4c00c8a3afb59f85f549
Instruction Fuzzy Hash: 9BF18835608380DFC704DF68E89061EBBF5BB8A306F19896DE8C98B351D736D915CB92

Function 00A58C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7333c1061f3617b056e55ed07a7355b5eb762aed291bc58a1f633d6bdd2c36d2
Instruction ID: 7dc1cdae1cc59f7f93afc9afb8e8db3bac1a3566233decbe95c511a3a1edce5a
Opcode Fuzzy Hash: 7333c1061f3617b056e55ed07a7355b5eb762aed291bc58a1f633d6bdd2c36d2
Instruction Fuzzy Hash: 89E1CD31608340CFC704DF68E89066AB7F5FB8A315F19896CE9C98B351D776E815CB82

Function 00A1A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: fd43a62de93507e994f07c3b6b2e8a19735818eba903e1d76abd4e927b647128
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 1FF1BF766497418FC724CF29C88176BFBE2AFE8300F08882DE4D587751E639E985CB56

Function 00A58E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8475122d73c765e3f4e4cbbc3ea8fa1e98203f3b34fe266947493908b50145f4
Instruction ID: 57b88f905673ad0ae3528caf646b0e11e3457c45c1914653fdc4086d2694cf1b
Opcode Fuzzy Hash: 8475122d73c765e3f4e4cbbc3ea8fa1e98203f3b34fe266947493908b50145f4
Instruction Fuzzy Hash: A6D18B3460C280DFD705EF68E89062ABBF5FB8A306F19896DE8C58B251D736D815CB52

Function 00A24487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34fc03ac489226f86eb8f34e3916d5d2750b2a2c218df9114ed49cd21e80d20
Instruction ID: 7ad95071579d186c776c866d0e3c35764d952ad6116a449a863494c1f28834dd
Opcode Fuzzy Hash: f34fc03ac489226f86eb8f34e3916d5d2750b2a2c218df9114ed49cd21e80d20
Instruction Fuzzy Hash: 56E1FEB5601B00CFD325DF28E992B97B7E1FF0A705F04886DE4AACB652E735B8148B54

Function 00A56CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ac903c93d93704e9583abe8082fcbf8f7d7424a4e11a8dfe7e375e17c1302b
Instruction ID: 6a4beb312255fb50f08e5e93239570b146c15f531d76cb9928e3bdee80fcb143
Opcode Fuzzy Hash: 14ac903c93d93704e9583abe8082fcbf8f7d7424a4e11a8dfe7e375e17c1302b
Instruction Fuzzy Hash: B3D1E236A18351CFCB14CF78D88052AB7F2BB89315F098A6CE891C7391D375DA4ACB91

Function 00A57AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89672976f3ec27dae638fcf92bd52d5a09616bef48ed6024cc1b53f2ff414c3
Instruction ID: 3e722b32f419598eac8648097be2a9c29351e258c16e9426df6ef8d86e70bb37
Opcode Fuzzy Hash: a89672976f3ec27dae638fcf92bd52d5a09616bef48ed6024cc1b53f2ff414c3
Instruction Fuzzy Hash: DFB1D272A083504BE714DB28EC45B6FB7E6BBC4315F08492CED99A7391E635DC098B92

Function 00A1AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 0f4143f23222b04188d7fc3dacdf570d465eebbb59287eb970fd755dd9768690
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 25C18CB2A587418FC360CF28DC96BABB7F1BF85318F08492DD1D9C6242E778A155CB16

Function 00A26536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b454bed7590063383335c7fe258d23ed008888184b2a9955f0cd728f6667f14f
Instruction ID: 523df47cd075bba25bfb02e4c6269286b8ce5a27a3e2d62db737cb10a5968989
Opcode Fuzzy Hash: b454bed7590063383335c7fe258d23ed008888184b2a9955f0cd728f6667f14f
Instruction Fuzzy Hash: 10B1F3B4501B408FD325CF28DA81B67BBF1AF46704F14886CE8AA8BB52E775F805CB55

Function 00A57710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd35424b2133235b4dfb6966f3bbaa400b9d0e23ae1cb638b7affd027474c220
Instruction ID: 7b637fdb58176777a34c4dab3a76e057147db426429054d712abdadfc2864fbf
Opcode Fuzzy Hash: bd35424b2133235b4dfb6966f3bbaa400b9d0e23ae1cb638b7affd027474c220
Instruction Fuzzy Hash: 23917071A0C301ABE720DB64E840B6FB7E5FB85356F54481CF995A7351E730E948CBA2

Function 00A5A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6b582229db8f54f2ea8b7ac2647917398b811e8730608af1cc3b0938c4ec50
Instruction ID: d4eedc91aa7a04d5881d84b377b4a50ed02f56acae64c6c9259b16b3733a7bc9
Opcode Fuzzy Hash: ef6b582229db8f54f2ea8b7ac2647917398b811e8730608af1cc3b0938c4ec50
Instruction Fuzzy Hash: 8A81A0342087018FD724DF28D890A2EB7F5FF69755F458A2CE8868B261E731EC15CB92

Function 00A464F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e42aded61c305c68b27fa7d3b677712ad94da33a6ca1bdae612e51d893f33ab
Instruction ID: bc10664e667abb11498ef84bdfcd33df5f3bef5567aa7006dccf753812ecb80d
Opcode Fuzzy Hash: 4e42aded61c305c68b27fa7d3b677712ad94da33a6ca1bdae612e51d893f33ab
Instruction Fuzzy Hash: 56710837B29A904BC3149D7C5C82395AA535BE7334B3EC379E9B4CB3E9D6694C064342

Function 00A328E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498edcaeeba9e870a60e68b8d8e73d0a7043a45461d7a8e09391d38faf5c1fc2
Instruction ID: 08addad734ae4a363327799d32d6c6c04325452e5e28fcfe9273fa40ca218b14
Opcode Fuzzy Hash: 498edcaeeba9e870a60e68b8d8e73d0a7043a45461d7a8e09391d38faf5c1fc2
Instruction Fuzzy Hash: EA6175B44083509BD311AF19E841A2BBBF1FFA6760F08491CF4C59B261E379D951CB66

Function 00A37C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7401a92c87b6b326c216d15ba4c544808e30cb2cfa3dab664fb11a9d5a20a1d
Instruction ID: c0038b5a52bedf58bf7a07d792070139637c804ad52940e4705a7b886b40607d
Opcode Fuzzy Hash: f7401a92c87b6b326c216d15ba4c544808e30cb2cfa3dab664fb11a9d5a20a1d
Instruction Fuzzy Hash: D451ADF1648304ABDB309B28CC92BBB73B4EF857A4F184958F9858B291F375D845C761

Function 00A41860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 8367ab08ba265e59701becf34094ec53322f564aa99545f2e2640ff0831ce292
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 8461AD39609315ABD714CF29C58072FBBE2ABC9390F68C92DE4998B352D370DDC59742

Function 00A482D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455e1f69dcd55c0daf1da081f2b509ebf91f885d0e31ab18fc9d0ed3d594c1bc
Instruction ID: 3dcfdbb5e1f3891d7d489816c78841e694c4b89289c91e91594d19aa72358a7d
Opcode Fuzzy Hash: 455e1f69dcd55c0daf1da081f2b509ebf91f885d0e31ab18fc9d0ed3d594c1bc
Instruction Fuzzy Hash: 0261493BB5AA904BC3148A3C6C553AE6A931BD6730F3EC3A5D9B18F3E4CD6D48024341

Function 00A242FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80c6017dfab35be0273d33038a18dd4a69c822df8469be7ac1e6d6c9c2bdbf2
Instruction ID: 0599b7244652a86cbf58db36f70ca7f45acda2b28f4a0b130eba7f9c3b1decd2
Opcode Fuzzy Hash: d80c6017dfab35be0273d33038a18dd4a69c822df8469be7ac1e6d6c9c2bdbf2
Instruction Fuzzy Hash: D781E2B4810B00AFD360EF39DA47797BEF5AB06311F404A2DE4EA96654E7306459CBE3

Function 00A4E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: a86dd16296d22bb4d1a1337d0035bbc4b66fa41dd5d0831e8a24ae614a714f0f
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 1B517DB56083548FE314DF69D49436BBBE1BBC5358F044E2DE4E983390E379DA088B82

Function 00A57520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab64d49619702d128ef8ed893f0d271b7532c9d32ceaab31e461457af27b5ec
Instruction ID: 68dd2f1862383b8c47a828cec24d31c636aef51861eb4eb0f26c7e63953b84a9
Opcode Fuzzy Hash: 5ab64d49619702d128ef8ed893f0d271b7532c9d32ceaab31e461457af27b5ec
Instruction Fuzzy Hash: 3751083160C2109BC7159F18EC90B3EB7E6FB89356F288A2CEDD567391D631EC198B91

Function 00A15A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cfe6b8417cb8ac8dcedda49ce416206837e2a86f1de6746bfcb63ab3c63bb3
Instruction ID: f52346da969131cf75be86ba5c0c122db9e1897da575bcceb526faafaca77bfc
Opcode Fuzzy Hash: 79cfe6b8417cb8ac8dcedda49ce416206837e2a86f1de6746bfcb63ab3c63bb3
Instruction Fuzzy Hash: 5C51B3B5E08704DFC714DF28C890966B7A1FFC5364F59466CE8958B352D631EC82CB92

Function 00B19952 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a550cff9bdff3b069b0023915db699dc9de5747494276dcbf965ab61372e317f
Instruction ID: feaf74bc005ef7ce9634819d0351eed153ba4d0e0b2afbcacbd991589f91cc9a
Opcode Fuzzy Hash: a550cff9bdff3b069b0023915db699dc9de5747494276dcbf965ab61372e317f
Instruction Fuzzy Hash: 65415BF3E082105BE3486E3CDC95376BAD69F94350F2B823DEE8997788F9351D054296

Function 00A3EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99471d570ff4c64a36770c56c2b897d5282bce498da7e4a938872f9927d20cae
Instruction ID: 084583047b8644f1896107a4dae54b24f239877ac7b89bc1387e4620c75c7c20
Opcode Fuzzy Hash: 99471d570ff4c64a36770c56c2b897d5282bce498da7e4a938872f9927d20cae
Instruction Fuzzy Hash: 74419C78900315DBDF20CF94DC91BAEB7B1FF0A340F144548F945AB2A0EB38A951CB91

Function 00A59B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d33ec1e39b13fea727e3320459b6af72e0c4668d395b446b47f54c04b35e670
Instruction ID: 7b0cb5e772aaa4ba4f868366cd959df582e870706d28db9471358be3f5e1757a
Opcode Fuzzy Hash: 1d33ec1e39b13fea727e3320459b6af72e0c4668d395b446b47f54c04b35e670
Instruction Fuzzy Hash: E1419C34608300EFD710DB65D990B2BB7F6FB85712F54882CF9899B251D371E809CB62

Function 00A22030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658c69feb889a2ccea0d08916ff65a8b83c8c3bc005f1a53189b1a7af35183ed
Instruction ID: 9da8ea673f69dfc59c531aef62b86700e109c3017694d578b832f9d1787f1409
Opcode Fuzzy Hash: 658c69feb889a2ccea0d08916ff65a8b83c8c3bc005f1a53189b1a7af35183ed
Instruction Fuzzy Hash: 4E41F672A0C3655FD35CCF29949073ABBE2ABC8310F09863EE5D687394DAB48D45D781

Function 00A21E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b07fcf227760c805e1e70cf0ddfce08940cbe14526e3c14e2e1dabb6b226b6
Instruction ID: 21d86747b21198c1a2ed7a044eecab91bf1bddfa7bca16f341eadeed77533831
Opcode Fuzzy Hash: c6b07fcf227760c805e1e70cf0ddfce08940cbe14526e3c14e2e1dabb6b226b6
Instruction Fuzzy Hash: 19412070108380ABD320AB59D884B2EFBF5FB9A354F14492DF6C097292C376E8148B66

Function 00A58D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8092f0c63387d34971f34d96154b09c15aaaebb488732a31da41e9534f3a3f9c
Instruction ID: 13fba94958eca903ee789905c1a3602e8a04f3ee99994db30615037553be10c3
Opcode Fuzzy Hash: 8092f0c63387d34971f34d96154b09c15aaaebb488732a31da41e9534f3a3f9c
Instruction Fuzzy Hash: BB41B23260D2508FC704DF68C49052EFBF6AF99301F198A1DD8D5E7291DB79DD058B82

Function 00A2D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98347cef3fc5f564d14359fc281ab079801d79339e8170c4eb7dbd854ffc7e7f
Instruction ID: 425bea77f30b40d1e43dbb227587ef114645a5cff19da8a9ec21da5c3c51bd8e
Opcode Fuzzy Hash: 98347cef3fc5f564d14359fc281ab079801d79339e8170c4eb7dbd854ffc7e7f
Instruction Fuzzy Hash: 1B41BCB1548391CBD330DF14D845FABB7B1FFA63A0F040968E48A8BA52E7744881CB53

Function 00A4F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 8cc9f89f3305dac1fbddc2153b52202c890968f6ce61ab411ea03b97ce620348
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 5E2107369082244FC7249B5DC48163BF7E4EBDA705F06963ED9C4A7295E3359C1487E1

Function 00A567EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b1f171e915b5ef1dd7377e35a24e7d508d74841928acd2892c619a2d2eef61
Instruction ID: 8a390ec15d61b7f676ec5a1bfb74783524d8598cec85a7255c2810e3823787c8
Opcode Fuzzy Hash: c5b1f171e915b5ef1dd7377e35a24e7d508d74841928acd2892c619a2d2eef61
Instruction Fuzzy Hash: 833114705183829AD714CF14C49062FBBF0FF96799F54590DF8C8AB261D338D989CB9A

Function 00C67D8F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54621f72252d6eb8325593ffb42b066215ddea04c02b2e49fd3de9a86cb31b0
Instruction ID: e57bd1e55e858a3a66d07a9834a354bd0b08f41e221776d3c0283b17fafc0cba
Opcode Fuzzy Hash: e54621f72252d6eb8325593ffb42b066215ddea04c02b2e49fd3de9a86cb31b0
Instruction Fuzzy Hash: 7531BFB251C3009FE305BF29DC816AAFBE5EF58720F16492DE6D4C3650EA35A8008A87

Function 00A35E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b3014df32c0a4d92bca9f01a9deed53e3eea49c61ab67d2f8eb851077c7583
Instruction ID: 4d4126f2f57339e2ce319b70e619b03c17bfce02af905c08537c5824b2df28db
Opcode Fuzzy Hash: f9b3014df32c0a4d92bca9f01a9deed53e3eea49c61ab67d2f8eb851077c7583
Instruction Fuzzy Hash: FA21AE719082019BC310AF28C94192BBBF5EF96765F54890CF4D99B292E338CA00CBA3

Function 00A149A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: ff470a29ffbbf93473911e1c92dea03fb0a986bc2d506dabb4d91b6cf8e0cd2a
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 3831EA756482009FD7109F1CD8809ABB7E1EF8C398F19892CE89ADB241D231DCC2CB86

Function 00A564B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb694cbe700a8c6acf86c10dadd5ba09bf4861755e3975e3d321bf0cf80e121
Instruction ID: 99dfaff489467d47827059a098dc2e8e46caba0c00f505d741d3f9606598e004
Opcode Fuzzy Hash: 3fb694cbe700a8c6acf86c10dadd5ba09bf4861755e3975e3d321bf0cf80e121
Instruction Fuzzy Hash: E8217A7050C2009BC714EF59D590A2EF7F2FB85752F58881CE8C597361C334A859CB62

Function 00A55700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f095f8f62442c8c141e77386092f262bcebd131574dd6ce185bfb736db0d5f3b
Instruction ID: 49e071b4d8352b43ba6c6c6bd336048cd9c9a5802c2fc49a58aa87bbacf77e8b
Opcode Fuzzy Hash: f095f8f62442c8c141e77386092f262bcebd131574dd6ce185bfb736db0d5f3b
Instruction Fuzzy Hash: F911917591C240EBC701AF28E954A1BBBF5AF9A711F058C28E8C49B211D335D815CB93

Function 00A4B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 99df434421563eddb6211c061b92aafe783a467856719bb349a1ff6b94a58006
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9311E537A151D80EC3168E3C8440565FFA31AE3234B5A8399F4B89B2D2D732CD8A9374

Function 00A40B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: b8c8c15c31deef133f6556e5dbd233b6fa683c456c02385bdb8c4ac17afe2b0a
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 2301D4FAA4070247E720DF5095D0F3BB2A9EFC0B28F08452CEA0647302DB71EC06D2A9

Function 00A3D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbcee66696136028feea1849c79e36900e276aea2f19bceed5c3a2eb4fa814a
Instruction ID: 3dc8b6c5141055eb7bbc7c7d9eda5a0c19094e06e2a8f51649e96801cdd8d783
Opcode Fuzzy Hash: cfbcee66696136028feea1849c79e36900e276aea2f19bceed5c3a2eb4fa814a
Instruction Fuzzy Hash: 0F11DDB0408380AFD3109F618584A1FFBE5ABA6714F148C0DF6A49B251C379D819CB56

Function 00A16EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f6400e103c1b53236c4d7e37608cce0a0bbcb41dec338faad5f0632e34e3a2
Instruction ID: e4430661271cb8da121b14ea63727d60dca2b21d06bf5f6461ceb133138237d6
Opcode Fuzzy Hash: b4f6400e103c1b53236c4d7e37608cce0a0bbcb41dec338faad5f0632e34e3a2
Instruction Fuzzy Hash: 3DF0E93E72931A0BA210CEAAE88487BF3E7D7D9356B145538EE41D3241DD72EC0791E4

Function 00A4B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00A2C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00A2B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 7e8300d5a3aaa77e0b48387d41eef9133df72de16b566aeb8ad295c26f20cd2b
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 51F0A7B1A1452067DB22DA59ACC0F37BB9CCB96354F190436EC8557143D2616845C3F5

Function 00A48220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b0d169217328b6b4162a0eea69b6382f8fe1655d085ae78c80255b39c600f9
Instruction ID: 88ba8d4281fc340c396540a422887f23bec7d0ac30f43dd4a4827744cc7b5356
Opcode Fuzzy Hash: b0b0d169217328b6b4162a0eea69b6382f8fe1655d085ae78c80255b39c600f9
Instruction Fuzzy Hash: 7A01E4B04107009FC360EF29C445747BBE8FB08714F004A1DE8AECB680D770A548CB82

Function 00A51440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 225c366e2aaadd2c05434a31ad12571b3e10699505e957864f0837e979d425ec
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 8ED0A771608321469F748F19A400A77F7F0FAC7B12F89A55EF986E3148D230DC41C2A9

Function 00A21ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa6a1ea3f73075a92f68f2c754563d164493b5133d57e40f234f793affd3004
Instruction ID: eda3d5a67949c82ce54f607791df6efb2df918089f982cf2262e78f0eba49834
Opcode Fuzzy Hash: 2aa6a1ea3f73075a92f68f2c754563d164493b5133d57e40f234f793affd3004
Instruction Fuzzy Hash: 77C08C34A292008FC204DF84FC9A432B7B8B30B30A710703ADA03F3261DA70C4038909

Function 00A56094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d85a0951326c9471b1ebdee9a2f5f3e59ac8b7c6a18538c1c62ba7914a8386e
Instruction ID: ce88158a2066d30af1418cd3b51133bc4acbbdbf2a0f9dbad3159e098c475e36
Opcode Fuzzy Hash: 1d85a0951326c9471b1ebdee9a2f5f3e59ac8b7c6a18538c1c62ba7914a8386e
Instruction Fuzzy Hash: 82C09B35E5C00097950CCF54E951475F3769B97715724B01DCC06232DBC174D91BD91C

Function 00A21A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dc879b73f58348f39c17ad2246cee8a4f819bb0607652ed56b5b2cad2e4155
Instruction ID: e2a3ee9eb34e94e6797af8eb6c5d255dd63f266d824ec31e98336703f68af3be
Opcode Fuzzy Hash: d5dc879b73f58348f39c17ad2246cee8a4f819bb0607652ed56b5b2cad2e4155
Instruction Fuzzy Hash: B5C09B34A69140CFC244DFC9F8D5431A3FC7317309710303A9B03F7261D570D4068509

Function 00A55FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1355290908.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1355277102.0000000000A10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000A70000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000BF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000CD7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355323922.0000000000D1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355556460.0000000000D1F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355666324.0000000000EBD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1355679293.0000000000EBE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec6c2bfd722fea4dacf83715f604c857b9763b8ced04f84dc3dce6d4c360cf8
Instruction ID: e9cb521286aae8a26307858385e96f65d8d7e09a35d008965c26a10fe34bfdde
Opcode Fuzzy Hash: 5ec6c2bfd722fea4dacf83715f604c857b9763b8ced04f84dc3dce6d4c360cf8
Instruction Fuzzy Hash: 51C09225B68000ABAA4CCF58DD51935F2BA9B8BB18B14B02DC806A329BD174D917860C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 00A550FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00A1FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00A1D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00A55BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00A5695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00A2049B Relevance: .3, Instructions: 264
COMMON

Function 00A20228 Relevance: .2, Instructions: 218
COMMON

Function 00A53220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00A53202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON