Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1529174
MD5:	64b7a8116f8b1bc1984041382b79150f
SHA1:	f1f95402a3fdda9e44b5d270cb455d20f48c871d
SHA256:	735aaabab978befd9973ce7daf8c8d5d0c655cd764d52ac4536710efb89c72a7
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 64B7A8116F8B1BC1984041382B79150F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "mobbipenju.store", "dissapoiznw.storec", "eaglepawnoy.storec", "bathdoomgaz.storec", "spirittunek.storec", "licendfilteo.sitec", "studennotediw.storec"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.377057+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.5	64802	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.290035+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.5	58420	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.346723+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.5	49407	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.333837+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.5	62500	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.398462+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.5	50855	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.321992+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.5	49316	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.386698+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.5	51537	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T17:32:02.364521+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.5	56272	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.1892.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "mobbipenju.store", "dissapoiznw.storec", "eaglepawnoy.storec", "bathdoomgaz.storec", "spirittunek.storec", "licendfilteo.sitec", "studennotediw.storec"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00B8D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00B8D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00BC63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00BC99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00BC695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00B8FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00B90EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00BC6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00BBF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00B96F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00B81000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00BC4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00BAD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B942FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00BA2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00BA2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00B8A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00BC64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00B9B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00BAC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00B9D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00BC1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00B88590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B96536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00BC7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BA9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00BBB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00BC67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00BC7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00BA28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00B849A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00BC3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00B9D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00B91ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00B91A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00B85A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00BC4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00BB0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00B91BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B93BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00BC9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00BAAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00BAAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00BC9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00BBFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00BA7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00BAEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BADD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00BAFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00B96EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00B8BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00B86EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00B91E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00B94E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BA5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BA7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00BAAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00B96F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00B9FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00B88FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00BC5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BBFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00BA9F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:49407 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:51537 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:58420 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:50855 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:49316 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:62500 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:64802 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:56272 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: spirittunek.storec
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: studennotediw.storec

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.2055620738.000000000161D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2055535290.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.c equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=e299054bf7b90f47f0cb1fd8; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 15:32:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2055535290.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.c equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2054467902.0000000001619000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2054467902.0000000001619000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=e299054bf7b90f47f0cb1fd8; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 15:32:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000002.2055535290.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.c
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2054282200.00000000015ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055535290.00000000015ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/api
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000002.2055430026.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/7
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2055535290.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055430026.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054282200.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2055535290.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054282200.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900p
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2054467902.0000000001619000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054467902.000000000161D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055620738.000000000161D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2054467902.0000000001619000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90228	0_2_00B90228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E230EF	0_2_00E230EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCA0D0	0_2_00BCA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92030	0_2_00B92030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F	0_2_00C2D04F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81000	0_2_00B81000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4040	0_2_00BC4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8E1A0	0_2_00B8E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB51F9	0_2_00CB51F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B871F0	0_2_00B871F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4618A	0_2_00D4618A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D57179	0_2_00D57179
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B85160	0_2_00B85160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B812F7	0_2_00B812F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB82D0	0_2_00BB82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB12D0	0_2_00BB12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA53CD	0_2_00CA53CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8B3A0	0_2_00B8B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B813A3	0_2_00B813A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB23E0	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E14371	0_2_00E14371
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A300	0_2_00B8A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9049B	0_2_00B9049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94487	0_2_00B94487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB64F0	0_2_00BB64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAC470	0_2_00BAC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B835B0	0_2_00B835B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88590	0_2_00B88590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C5F0	0_2_00B9C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D50565	0_2_00D50565
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC86F0	0_2_00BC86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D556BF	0_2_00D556BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBF620	0_2_00BBF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8652	0_2_00BC8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8164F	0_2_00B8164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D497DC	0_2_00D497DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBE8A0	0_2_00BBE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBB8C0	0_2_00BBB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1860	0_2_00BB1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A850	0_2_00B8A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC89A0	0_2_00BC89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA098B	0_2_00BA098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C07955	0_2_00C07955
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D48907	0_2_00D48907
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC7AB0	0_2_00BC7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8A80	0_2_00BC8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D34A1A	0_2_00D34A1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4A40	0_2_00BC4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87BF0	0_2_00B87BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9DB6F	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6CBF	0_2_00BC6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BACCD0	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8C02	0_2_00BC8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4CDEE	0_2_00D4CDEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4EDEB	0_2_00D4EDEB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BADD29	0_2_00BADD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAFD10	0_2_00BAFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8D62	0_2_00BA8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96EBF	0_2_00B96EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8BEB0	0_2_00B8BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94E2A	0_2_00B94E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8E70	0_2_00BC8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAAE57	0_2_00BAAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88FD0	0_2_00B88FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC7FC0	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8AF10	0_2_00B8AF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B8CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B9D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994134179042904
Source: file.exe	Static PE information: Section: nbdowhua ZLIB complexity 0.9945249914978839

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8220 CoCreateInstance,

0_2_00BB8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1864192 > 1048576

Source: file.exe

Static PE information: Raw size of nbdowhua is bigger than: 0x100000 < 0x19d800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nbdowhua:EW;zmevaeuu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nbdowhua:EW;zmevaeuu:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1cbee9 should be: 0x1d1908

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: nbdowhua
Source: file.exe	Static PE information: section name: zmevaeuu
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E230EF push 0BE40AE8h; mov dword ptr [esp], ecx	0_2_00E2319B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E230EF push eax; mov dword ptr [esp], ecx	0_2_00E232B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E230EF push 036FC109h; mov dword ptr [esp], eax	0_2_00E232F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D750CA push edi; mov dword ptr [esp], edx	0_2_00D750E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE80B5 push 00237BF4h; mov dword ptr [esp], ebp	0_2_00DE80C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE80B5 push esi; mov dword ptr [esp], ebp	0_2_00DE8118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push ecx; mov dword ptr [esp], eax	0_2_00C2D069
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push ebx; mov dword ptr [esp], ebp	0_2_00C2D0CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push esi; mov dword ptr [esp], edi	0_2_00C2D103
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push edi; mov dword ptr [esp], edx	0_2_00C2D107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push 22351A28h; mov dword ptr [esp], ecx	0_2_00C2D148
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push 2946D37Bh; mov dword ptr [esp], eax	0_2_00C2D19E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push edi; mov dword ptr [esp], 758961B6h	0_2_00C2D1F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push 14F3B808h; mov dword ptr [esp], eax	0_2_00C2D285
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2D04F push eax; mov dword ptr [esp], edi	0_2_00C2D289
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6207F push edi; mov dword ptr [esp], 7DAD28E2h	0_2_00E620AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6207F push ecx; mov dword ptr [esp], esi	0_2_00E620D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0D041 push eax; mov dword ptr [esp], 51878A0Eh	0_2_00E0D1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3F027 push 3D9D331Ah; mov dword ptr [esp], esi	0_2_00E3F0BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A1CD push ebx; mov dword ptr [esp], ebp	0_2_0102A1CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A1CD push ecx; mov dword ptr [esp], esp	0_2_0102A1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A1CD push edx; mov dword ptr [esp], 65FF7243h	0_2_0102A1FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A1CD push eax; mov dword ptr [esp], edx	0_2_0102A217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A1CD push ebp; mov dword ptr [esp], 50067BB6h	0_2_0102A221
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A1CD push 17FC20EBh; mov dword ptr [esp], ebp	0_2_0102A318
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD6029 push edi; mov dword ptr [esp], edx	0_2_00DD604E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4001F push 1220BE30h; mov dword ptr [esp], ebp	0_2_00E40478
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E251FD push 2DACD4E6h; mov dword ptr [esp], eax	0_2_00E253AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB51F9 push edi; mov dword ptr [esp], eax	0_2_00CB5244
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB51F9 push 64E9FE9Ah; mov dword ptr [esp], ecx	0_2_00CB52EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C1AF push 2844E123h; mov dword ptr [esp], ebx	0_2_00E0C1B7

Source: file.exe	Static PE information: section name: entropy: 7.969099973919656
Source: file.exe	Static PE information: section name: nbdowhua entropy: 7.95513118494918

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D50056 second address: D5005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D0A9 second address: D5D0AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D0AE second address: D5D0D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FC09851E716h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FC09851E724h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D39A second address: D5D3A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D8Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FF1E second address: D5FF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FC09851E716h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6025D second address: D602C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007FC098518D86h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC098518D88h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FC098518D88h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 jnp 00007FC098518D8Ah 0x0000004b mov dx, D870h 0x0000004f push 8C914E5Eh 0x00000054 push edi 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D602C9 second address: D60395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 add dword ptr [esp], 736EB222h 0x0000000d mov edi, dword ptr [ebp+122D392Ah] 0x00000013 push 00000003h 0x00000015 js 00007FC09851E727h 0x0000001b jmp 00007FC09851E721h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007FC09851E718h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c movzx esi, ax 0x0000003f call 00007FC09851E724h 0x00000044 mov esi, dword ptr [ebp+122D3976h] 0x0000004a pop esi 0x0000004b xor esi, 5B3357E8h 0x00000051 push 00000003h 0x00000053 mov edx, dword ptr [ebp+122D1DEDh] 0x00000059 push 442E9564h 0x0000005e jmp 00007FC09851E726h 0x00000063 add dword ptr [esp], 7BD16A9Ch 0x0000006a cmc 0x0000006b push edx 0x0000006c jnc 00007FC09851E71Ch 0x00000072 sub dword ptr [ebp+122D33B4h], edi 0x00000078 pop esi 0x00000079 lea ebx, dword ptr [ebp+1244FE18h] 0x0000007f mov dword ptr [ebp+122D1DBFh], edi 0x00000085 mov ecx, dword ptr [ebp+122D394Eh] 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jbe 00007FC09851E71Ch 0x00000094 jo 00007FC09851E716h 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60395 second address: D6039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D45C9D second address: D45CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D45CA1 second address: D45CAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7FF1D second address: D7FF22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7FF22 second address: D7FF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FC098518D86h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FC098518D86h 0x00000015 jmp 00007FC098518D90h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80067 second address: D8006D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8006D second address: D80073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D801BA second address: D801BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D801BF second address: D801E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007FC098518D86h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f js 00007FC098518D86h 0x00000015 jnc 00007FC098518D86h 0x0000001b jnp 00007FC098518D86h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D804DA second address: D804DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D804DF second address: D804E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D804E7 second address: D804EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8062B second address: D8062F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8062F second address: D80633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D807CB second address: D807D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8096A second address: D80976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC09851E716h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80976 second address: D80994 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC098518D86h 0x00000008 jmp 00007FC098518D8Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80C3E second address: D80C6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E725h 0x00000007 jng 00007FC09851E716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007FC09851E716h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D811FF second address: D81211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC098518D86h 0x0000000a jnp 00007FC098518D86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81211 second address: D81223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b jg 00007FC09851E716h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84B14 second address: D84B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D587B9 second address: D587BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D587BE second address: D587D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC098518D8Bh 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8905D second address: D89061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D891E0 second address: D891E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D891E6 second address: D89208 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC09851E71Ah 0x00000008 jmp 00007FC09851E71Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89208 second address: D89225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007FC098518D88h 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FC098518D86h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89225 second address: D89229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88125 second address: D8812A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8812A second address: D88130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A637 second address: D8A63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49313 second address: D49318 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8F07F second address: D8F091 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8F091 second address: D8F096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8F096 second address: D8F0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D8Fh 0x00000009 jc 00007FC098518D86h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919E3 second address: D919F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC09851E71Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919F6 second address: D919FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919FA second address: D91A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91A06 second address: D91A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D93h 0x00000009 popad 0x0000000a pop edx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jnc 00007FC098518D88h 0x00000016 push esi 0x00000017 pop esi 0x00000018 push ecx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jbe 00007FC098518D88h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91A40 second address: D91A5E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jnc 00007FC09851E724h 0x00000015 pushad 0x00000016 jnp 00007FC09851E716h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92126 second address: D9212B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92869 second address: D9286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92938 second address: D9293C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92BA4 second address: D92BAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92BAA second address: D92BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92BB0 second address: D92BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93AE6 second address: D93B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edx 0x00000009 call 00007FC098518D88h 0x0000000e pop edx 0x0000000f mov dword ptr [esp+04h], edx 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc edx 0x0000001c push edx 0x0000001d ret 0x0000001e pop edx 0x0000001f ret 0x00000020 mov esi, edx 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007FC098518D88h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D1DBFh], edi 0x00000044 push 00000000h 0x00000046 mov edi, 1DB640A7h 0x0000004b xchg eax, ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93B40 second address: D93B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93B44 second address: D93B5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93B5E second address: D93B79 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC09851E71Ch 0x00000008 jnp 00007FC09851E716h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FC09851E718h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94D89 second address: D94D8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9553C second address: D95558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E728h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95558 second address: D9555E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96197 second address: D9622F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC09851E71Fh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC09851E718h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b xor dword ptr [ebp+1247BDF1h], ebx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FC09851E718h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d add esi, 366898A5h 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 jmp 00007FC09851E720h 0x0000005a jc 00007FC09851E721h 0x00000060 jmp 00007FC09851E71Bh 0x00000065 popad 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jc 00007FC09851E71Ch 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9622F second address: D96233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96940 second address: D96945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99EC2 second address: D99EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99EC8 second address: D99EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E71Ch 0x00000007 jnp 00007FC09851E716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC09851E728h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AC69 second address: D9AC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AC6E second address: D9AC78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FC09851E716h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C1CE second address: D9C1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E21D second address: D9E264 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC09851E71Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1A69h], esi 0x00000013 push 00000000h 0x00000015 mov ebx, esi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007FC09851E718h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push esi 0x00000039 pop esi 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C2EB second address: D9C2FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC098518D90h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B42D second address: D9B4AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jp 00007FC09851E722h 0x0000000e nop 0x0000000f pushad 0x00000010 mov dword ptr [ebp+1244B8D5h], eax 0x00000016 mov edx, dword ptr [ebp+122D362Fh] 0x0000001c popad 0x0000001d push dword ptr fs:[00000000h] 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FC09851E718h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D362Bh], ebx 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b mov dword ptr [ebp+122D33B4h], ebx 0x00000051 mov eax, dword ptr [ebp+122D1265h] 0x00000057 push FFFFFFFFh 0x00000059 pushad 0x0000005a mov ecx, edx 0x0000005c mov edx, dword ptr [ebp+1247BD44h] 0x00000062 popad 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jp 00007FC09851E71Ch 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E264 second address: D9E27D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B4AD second address: D9B4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC09851E716h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B4B7 second address: D9B4BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F14D second address: D9F19E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FC09851E718h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D287Ah], ebx 0x00000028 push 00000000h 0x0000002a mov edi, eax 0x0000002c push 00000000h 0x0000002e mov edi, 6A345E20h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FC09851E726h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0275 second address: DA028E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007FC098518D8Ch 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F388 second address: D9F3B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FC09851E725h 0x0000000f jno 00007FC09851E716h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F3B2 second address: D9F3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F3B6 second address: D9F3BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA1376 second address: DA137C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA04B1 second address: DA04CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC09851E727h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA137C second address: DA1405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FC098518D86h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FC098518D88h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007FC098518D88h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov ebx, dword ptr [ebp+122D3A26h] 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007FC098518D88h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 00000016h 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c ja 00007FC098518D88h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA04CD second address: DA04D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA1405 second address: DA140B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA04D2 second address: DA04D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA140B second address: DA140F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3457 second address: DA345D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA2650 second address: DA2656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA345D second address: DA3462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA2656 second address: DA2675 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007FC098518D92h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3462 second address: DA34E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FC09851E716h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop edi 0x00000014 pop eax 0x00000015 nop 0x00000016 jng 00007FC09851E71Ch 0x0000001c mov edi, dword ptr [ebp+122D379Eh] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FC09851E718h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007FC09851E718h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a mov edi, dword ptr [ebp+122D189Ch] 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FC09851E71Ch 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA2675 second address: DA2689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC098518D8Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA34E3 second address: DA34E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA34E7 second address: DA34ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA44A0 second address: DA44B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FC09851E718h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA44B1 second address: DA44EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnc 00007FC098518D91h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 jmp 00007FC098518D8Fh 0x00000017 pop ebx 0x00000018 push 00000000h 0x0000001a cld 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d jl 00007FC098518D8Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA44EB second address: DA44F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA44F3 second address: DA44FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA44FF second address: DA4515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC09851E71Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5507 second address: DA551E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC098518D93h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA574A second address: DA574E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA83C2 second address: DA83C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8A40 second address: DA8A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA99C1 second address: DA99D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC098518D8Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB8B3 second address: DAB8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB8B7 second address: DAB8CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB8CF second address: DAB8D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAD944 second address: DAD94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DABA29 second address: DABA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DABA32 second address: DABA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBA37A second address: DBA38C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FC09851E72Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBE840 second address: DBE88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jmp 00007FC098518D91h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jl 00007FC098518D9Dh 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC098518D8Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBE88D second address: DBE893 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBE9CD second address: DBE9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D8Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBE9DE second address: DBE9E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBE9E3 second address: DBE9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC426C second address: DC4288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jng 00007FC09851E71Eh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4288 second address: DC42A3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC098518D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC098518D91h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC42A3 second address: DC42AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC43EF second address: DC43F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC456B second address: DC45CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC09851E71Ch 0x00000008 pop edx 0x00000009 jnl 00007FC09851E728h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jnl 00007FC09851E716h 0x0000001d popad 0x0000001e push esi 0x0000001f jmp 00007FC09851E723h 0x00000024 push edx 0x00000025 pop edx 0x00000026 pop esi 0x00000027 jp 00007FC09851E71Ah 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 pop edx 0x00000031 jng 00007FC09851E716h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC45CD second address: DC45DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D8Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC49B3 second address: DC49CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E71Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC49CA second address: DC49E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC49E5 second address: DC49F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E71Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC49F7 second address: DC49FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC49FD second address: DC4A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4A03 second address: DC4A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4A09 second address: DC4A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4BC5 second address: DC4BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC098518D8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4BD5 second address: DC4C06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E723h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FC09851E726h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4C06 second address: DC4C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA051 second address: DCA056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA056 second address: DCA092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D94h 0x00000007 push edx 0x00000008 jmp 00007FC098518D95h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 jbe 00007FC098518D86h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA092 second address: DCA097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9032E second address: D90333 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90333 second address: D903CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007FC09851E72Ch 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FC09851E718h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jne 00007FC09851E720h 0x0000002f sub dword ptr [ebp+122D286Ah], edi 0x00000035 mov edx, dword ptr [ebp+122D378Eh] 0x0000003b lea eax, dword ptr [ebp+12480062h] 0x00000041 jmp 00007FC09851E71Dh 0x00000046 call 00007FC09851E71Eh 0x0000004b push ebx 0x0000004c pop edi 0x0000004d pop ecx 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FC09851E71Ch 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D904D0 second address: D904D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D904D9 second address: D904DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D904DD second address: D904F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90A13 second address: D90A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90A19 second address: D90A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90B77 second address: D90B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90B7D second address: D90B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90B81 second address: D90BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FC09851E718h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 sub edi, dword ptr [ebp+122D1BC5h] 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jno 00007FC09851E716h 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90C8E second address: D90C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D915D7 second address: D915EF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b js 00007FC09851E716h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D915EF second address: D91621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007FC098518D8Fh 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007FC098518D91h 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91621 second address: D91641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC09851E726h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9171C second address: D773B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D38AEh] 0x00000011 lea eax, dword ptr [ebp+12480062h] 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FC098518D88h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 call 00007FC098518D92h 0x00000036 xor cx, 5F6Bh 0x0000003b pop edx 0x0000003c push eax 0x0000003d jmp 00007FC098518D8Dh 0x00000042 mov dword ptr [esp], eax 0x00000045 mov edx, 7B1B41C1h 0x0000004a call dword ptr [ebp+122D1AA8h] 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 jg 00007FC098518D86h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA3AC second address: DCA3C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC09851E721h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA3C7 second address: DCA3CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA3CB second address: DCA402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC09851E716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FC09851E71Bh 0x00000012 pop eax 0x00000013 popad 0x00000014 pushad 0x00000015 push ebx 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop ebx 0x00000019 jbe 00007FC09851E724h 0x0000001f push edx 0x00000020 pop edx 0x00000021 jmp 00007FC09851E71Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0BE6 second address: DD0BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0BEA second address: DD0BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC09851E726h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0BF8 second address: DD0C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D8Ah 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC098518D91h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCF9D8 second address: DCF9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FC09851E716h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCF9E6 second address: DCF9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCF9EB second address: DCFA03 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC09851E71Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FC09851E716h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCFB69 second address: DCFB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCFB6F second address: DCFB75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCFB75 second address: DCFB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0421 second address: DD042B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD042B second address: DD0440 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC098518D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FC098518D8Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0440 second address: DD0448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0448 second address: DD0465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD0465 second address: DD0474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC09851E71Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD08CC second address: DD08D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD08D0 second address: DD08ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC09851E716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC09851E721h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD520B second address: DD5245 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FC098518D86h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007FC098518D92h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC098518D92h 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5F90 second address: DD5F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5F96 second address: DD5FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D90h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5FAA second address: DD5FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6135 second address: DD613A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD613A second address: DD6145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC09851E716h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6145 second address: DD614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD4F2F second address: DD4F4B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FC09851E722h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD4F4B second address: DD4F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC098518D8Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCC70 second address: DDCC93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC09851E71Ah 0x00000008 jmp 00007FC09851E71Dh 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCC93 second address: DDCCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC098518D8Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCCAC second address: DDCCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C8D5 second address: D4C8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDF131 second address: DDF13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC09851E716h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDF13B second address: DDF184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D99h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FC098518D8Eh 0x00000013 jmp 00007FC098518D98h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDF184 second address: DDF18E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC09851E71Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDEE53 second address: DDEE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FC098518D86h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE1D89 second address: DE1D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE9922 second address: DE9929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE9929 second address: DE9936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8300 second address: DE830A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC098518D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE830A second address: DE8314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE84A3 second address: DE84BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC098518D86h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jnp 00007FC098518D86h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE84BB second address: DE84F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E727h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FC09851E728h 0x00000015 jmp 00007FC09851E722h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE84F4 second address: DE84FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91097 second address: D910F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC09851E721h 0x0000000e nop 0x0000000f mov edx, 1364454Bh 0x00000014 mov ebx, dword ptr [ebp+124800A1h] 0x0000001a jmp 00007FC09851E71Fh 0x0000001f add eax, ebx 0x00000021 mov di, 9711h 0x00000025 push eax 0x00000026 pushad 0x00000027 pushad 0x00000028 push eax 0x00000029 pop eax 0x0000002a jmp 00007FC09851E729h 0x0000002f popad 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D910F4 second address: D910FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D910FA second address: D91147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007FC09851E71Dh 0x0000000e mov edi, edx 0x00000010 pop edi 0x00000011 push 00000004h 0x00000013 push ecx 0x00000014 mov edi, dword ptr [ebp+122D3912h] 0x0000001a pop ecx 0x0000001b jmp 00007FC09851E723h 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC09851E724h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8A8C second address: DE8A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8A91 second address: DE8AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC09851E726h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8AAD second address: DE8AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED8F4 second address: DED8FE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC09851E716h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD2F second address: DECD61 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC098518D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC098518D8Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC098518D98h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED1AC second address: DED1D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC09851E725h 0x00000008 pop esi 0x00000009 pushad 0x0000000a jmp 00007FC09851E71Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED451 second address: DED477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FC098518D8Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FC098518D90h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF099C second address: DF09A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF09A2 second address: DF09AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF09AC second address: DF09B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF024C second address: DF025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FC098518D8Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF025C second address: DF0262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF03DA second address: DF03EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF06A4 second address: DF06C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007FC09851E716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC09851E721h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF06C3 second address: DF06C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF8C1E second address: DF8C45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E726h 0x00000007 jns 00007FC09851E716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF6F4B second address: DF6F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF70C2 second address: DF70E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF70E2 second address: DF70E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF70E6 second address: DF70EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF8395 second address: DF83A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC098518D86h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF83A3 second address: DF83CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC09851E716h 0x0000000a jo 00007FC09851E716h 0x00000010 popad 0x00000011 jbe 00007FC09851E737h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC09851E71Dh 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF8670 second address: DF8680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FC098518D86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFBEAD second address: DFBEB7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFBEB7 second address: DFBEC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007FC098518D86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC00D second address: DFC035 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC09851E718h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC09851E726h 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC1A0 second address: DFC1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC1AA second address: DFC1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC09851E716h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 ja 00007FC09851E716h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e jmp 00007FC09851E726h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC1DE second address: DFC201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D95h 0x00000007 jmp 00007FC098518D8Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC5D7 second address: DFC5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC5DB second address: DFC5E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC5E1 second address: DFC5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC09851E727h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC5FE second address: DFC615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jns 00007FC098518D86h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f jg 00007FC098518D86h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC615 second address: DFC647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC09851E724h 0x00000009 jbe 00007FC09851E716h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC09851E71Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC77E second address: DFC782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC782 second address: DFC78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC78C second address: DFC790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC790 second address: DFC7A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC09851E71Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC913 second address: DFC91F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC098518D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFC91F second address: DFC923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02EB2 second address: E02EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02EB8 second address: E02EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09E60 second address: E09E7B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC098518D86h 0x00000008 jmp 00007FC098518D91h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09E7B second address: E09E83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A41A second address: E0A437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D98h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A437 second address: E0A43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A5EA second address: E0A5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A86F second address: E0A873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A873 second address: E0A879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A879 second address: E0A883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A883 second address: E0A889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A889 second address: E0A8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC09851E71Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A8A5 second address: E0A8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC098518D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A8AF second address: E0A8B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A8B3 second address: E0A8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A8B9 second address: E0A8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007FC09851E716h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0ABBE second address: E0ABC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0ABC7 second address: E0ABD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC09851E716h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0ABD2 second address: E0ABD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0BA5F second address: E0BA63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0BA63 second address: E0BA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jns 00007FC098518D86h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0BA76 second address: E0BA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0980A second address: E0980E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0980E second address: E0982B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007FC09851E716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FC09851E71Ch 0x00000012 jnc 00007FC09851E716h 0x00000018 popad 0x00000019 pushad 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0982B second address: E09831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09831 second address: E09851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC09851E729h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09851 second address: E09865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FC098518D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FC098518D8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0E294 second address: E0E2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FC09851E716h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0E2A1 second address: E0E2A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0E106 second address: E0E10A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0E10A second address: E0E12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC098518D98h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0E12A second address: E0E12F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E22E63 second address: E22E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2291F second address: E22923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E22923 second address: E2292D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC098518D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2292D second address: E22932 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E22932 second address: E2294B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FC098518D8Eh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2294B second address: E22984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC09851E716h 0x0000000a jmp 00007FC09851E728h 0x0000000f popad 0x00000010 jmp 00007FC09851E71Dh 0x00000015 pushad 0x00000016 jne 00007FC09851E716h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E24E7B second address: E24EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FC098518D9Fh 0x0000000b jns 00007FC098518D8Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E24EB1 second address: E24EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E24A19 second address: E24A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E363E2 second address: E363FA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC09851E71Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E363FA second address: E3641A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC098518D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3641A second address: E3641E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3641E second address: E3643A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC098518D90h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3643A second address: E36440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3F706 second address: E3F70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E094 second address: E3E0A2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E0A2 second address: E3E0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E0A8 second address: E3E0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E361 second address: E3E365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E365 second address: E3E373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FC09851E716h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E373 second address: E3E37B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E37B second address: E3E383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E61F second address: E3E625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E625 second address: E3E629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3F3F5 second address: E3F410 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC098518D8Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a jns 00007FC098518D86h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007FC098518D86h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3F410 second address: E3F43A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FC09851E718h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC09851E728h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3F43A second address: E3F466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC098518D99h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4231E second address: E42322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E42322 second address: E42328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E42328 second address: E42338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E42338 second address: E4233C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4DE74 second address: E4DE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4DE80 second address: E4DED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D8Eh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007FC098518D98h 0x00000010 jng 00007FC098518D86h 0x00000016 jmp 00007FC098518D8Ch 0x0000001b je 00007FC098518D86h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FC098518D8Ch 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4DD1D second address: E4DD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FC09851E721h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7A409 second address: E7A40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7A40D second address: E7A417 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC09851E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7A81C second address: E7A822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7ADA2 second address: E7ADA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7ADA6 second address: E7ADBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC098518D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007FC098518D86h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7ADBB second address: E7ADC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7F018 second address: E7F01E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7F327 second address: E7F343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC09851E723h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7F343 second address: E7F3A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FC098518D88h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 call 00007FC098518D8Eh 0x0000002c mov edx, dword ptr [ebp+122D1B72h] 0x00000032 pop edx 0x00000033 push 00000004h 0x00000035 mov edx, 43ACA079h 0x0000003a push D861CEE2h 0x0000003f pushad 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7F3A0 second address: E7F3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007FC09851E71Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7F5DF second address: E7F5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7F5E3 second address: E7F60B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC09851E718h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d movzx edx, cx 0x00000010 push dword ptr [ebp+122D33FFh] 0x00000016 sub dword ptr [ebp+122D286Ah], ecx 0x0000001c push F67B3000h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E80FCB second address: E80FDF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC098518D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FC098518D86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82BC0 second address: E82BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82BC4 second address: E82C21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FC098518D8Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007FC098518D9Eh 0x0000001c jmp 00007FC098518D96h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82C21 second address: E82C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82C27 second address: E82C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC098518D8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82C37 second address: E82C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D11 second address: 54C0D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D15 second address: 54C0D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D1B second address: 54C0D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC098518D97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FC098518DAEh 0x0000000f jmp 00007FC098518D96h 0x00000014 add eax, ecx 0x00000016 jmp 00007FC098518D90h 0x0000001b mov eax, dword ptr [eax+00000860h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D6F second address: 54C0D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D77 second address: 54C0D7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D7C second address: 54C0D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D82 second address: 54C0D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test eax, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D91 second address: 54C0D95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D95 second address: 54C0D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0D9B second address: 54C0DB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC108AD46D2h 0x0000000e pushad 0x0000000f movsx ebx, si 0x00000012 push eax 0x00000013 push edx 0x00000014 movzx eax, di 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0DB2 second address: 54C0DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 test byte ptr [eax+04h], 00000005h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC098518D97h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0DD6 second address: 54C0DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54C0DDA second address: 54C0DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D949DB second address: D949F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC09851E71Ch 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D949F5 second address: D949F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D949F9 second address: D949FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D9053F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E19B38 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6532	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4568	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2054282200.00000000015ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055535290.00000000015ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: file.exe, 00000000.00000002.2055369900.000000000158E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: file.exe, 00000000.00000002.2055535290.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC5BB0 LdrInitializeThunk,

0_2_00BC5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: uProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
eaglepawnoy.store	unknown	unknown	true	unknown
bathdoomgaz.store	unknown	unknown	true	unknown
spirittunek.store	unknown	unknown	true	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	true	unknown
mobbipenju.store	unknown	unknown	true	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dissapoiznw.storec	true		unknown
studennotediw.storec	true		unknown
licendfilteo.sitec	true		unknown
clearancek.site	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
bathdoomgaz.storec	true		unknown
eaglepawnoy.storec	true		unknown
mobbipenju.store	true		unknown
spirittunek.storec	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000003.2054467902.0000000001619000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/7	file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900p	file.exe, 00000000.00000002.2055535290.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054282200.00000000015E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015E0000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://clearancek.site/api	file.exe, 00000000.00000003.2054282200.00000000015ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055535290.00000000015ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000002.2055430026.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.00000000015C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000002.2055430026.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055659191.0000000001663000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054576258.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2053973086.0000000001652000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2053973086.0000000001658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.2054467902.0000000001619000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054467902.000000000161D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2055620738.000000000161D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2054027741.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.c	file.exe, 00000000.00000002.2055535290.0000000001614000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2054531252.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529174
Start date and time:	2024-10-08 17:31:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:32:01	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	15PylGQjzK.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Ji7kZhlqxz.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	15PylGQjzK.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Ji7kZhlqxz.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	original (3).eml	Get hash	malicious	Unknown	Browse	184.28.90.27
	https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45	Get hash	malicious	Unknown	Browse	23.38.98.78
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	http://cdn.prod.website-files.com/66006200351a0e5dfaa727ed/66de69bda1d04790a2e6ba98_54204894406.pdf	Get hash	malicious	Unknown	Browse	23.217.172.185
	https://simpleinvoices.io/invoices/gvexd57Lej7	Get hash	malicious	Unknown	Browse	23.56.162.185

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.102.49.254
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	104.102.49.254
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	104.102.49.254
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	15PylGQjzK.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Ji7kZhlqxz.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	90g7XddjcS.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	90g7XddjcS.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949089053039629
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'864'192 bytes
MD5:	64b7a8116f8b1bc1984041382b79150f
SHA1:	f1f95402a3fdda9e44b5d270cb455d20f48c871d
SHA256:	735aaabab978befd9973ce7daf8c8d5d0c655cd764d52ac4536710efb89c72a7
SHA512:	d879907d92d390c1aa6abcef7f78407009e02cb1f20e707bd1017874d9cde669d0ba56249cda565c4273a8c86c80b3b8a31cdfe80391751aa3e01a39a7bec0cb
SSDEEP:	49152:VNHvmbugKsFIhcDnMs72BaOwo1whlGk/AApQ50hg:fvmscPq9wo1EVEYg
TLSH:	878533505CB0A2CAC54D137AD37D9856036B5C3A2D98B277B3CAAA7E9B5BC05C1C7F02
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@...........................J...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ab000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FC098E337EAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	47240a46d2680c275291cead0411bed8	False	0.9994134179042904	data	7.969099973919656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2ac000	0x200	6b543d99c34024a675b48c10f1080f9c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nbdowhua	0x30c000	0x19e000	0x19d800	4fea736dae7f6c44623d9b398ba21fea	False	0.9945249914978839	data	7.95513118494918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zmevaeuu	0x4aa000	0x1000	0x600	c67be373d80f883309acd386918ff36f	False	0.603515625	data	5.197026579804948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ab000	0x3000	0x2200	f9346c711406fd9b763d412f356b3841	False	0.006433823529411764	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T17:32:02.290035+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.5	58420	1.1.1.1	53	UDP
2024-10-08T17:32:02.321992+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.5	49316	1.1.1.1	53	UDP
2024-10-08T17:32:02.333837+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.5	62500	1.1.1.1	53	UDP
2024-10-08T17:32:02.346723+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.5	49407	1.1.1.1	53	UDP
2024-10-08T17:32:02.364521+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.5	56272	1.1.1.1	53	UDP
2024-10-08T17:32:02.377057+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.5	64802	1.1.1.1	53	UDP
2024-10-08T17:32:02.386698+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.5	51537	1.1.1.1	53	UDP
2024-10-08T17:32:02.398462+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.5	50855	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 17:32:02.440260887 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:02.440289974 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:02.440387964 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:02.441660881 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:02.441674948 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.174823046 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.175113916 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.199666977 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.199678898 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.199990034 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.240725040 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.284296036 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.327409983 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652240038 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652264118 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652283907 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652293921 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652307034 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.652314901 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652322054 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.652353048 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.652477026 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.741257906 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.741313934 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.741353035 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.741434097 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.741434097 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.742770910 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.742770910 CEST	49704	443	192.168.2.5	104.102.49.254
Oct 8, 2024 17:32:03.742783070 CEST	443	49704	104.102.49.254	192.168.2.5
Oct 8, 2024 17:32:03.742786884 CEST	443	49704	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 17:32:02.290035009 CEST	58420	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.316335917 CEST	53	58420	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.321991920 CEST	49316	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.331033945 CEST	53	49316	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.333837032 CEST	62500	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.344214916 CEST	53	62500	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.346723080 CEST	49407	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.362076044 CEST	53	49407	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.364521027 CEST	56272	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.374742985 CEST	53	56272	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.377057076 CEST	64802	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.384471893 CEST	53	64802	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.386698008 CEST	51537	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.395787001 CEST	53	51537	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.398462057 CEST	50855	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.407289982 CEST	53	50855	1.1.1.1	192.168.2.5
Oct 8, 2024 17:32:02.409250021 CEST	65174	53	192.168.2.5	1.1.1.1
Oct 8, 2024 17:32:02.417356014 CEST	53	65174	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 17:32:02.290035009 CEST	192.168.2.5	1.1.1.1	0x97fc	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.321991920 CEST	192.168.2.5	1.1.1.1	0xcbba	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.333837032 CEST	192.168.2.5	1.1.1.1	0x973a	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.346723080 CEST	192.168.2.5	1.1.1.1	0x3422	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.364521027 CEST	192.168.2.5	1.1.1.1	0x6fbd	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.377057076 CEST	192.168.2.5	1.1.1.1	0x5f04	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.386698008 CEST	192.168.2.5	1.1.1.1	0xe884	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.398462057 CEST	192.168.2.5	1.1.1.1	0x46cb	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.409250021 CEST	192.168.2.5	1.1.1.1	0x374e	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 17:32:02.316335917 CEST	1.1.1.1	192.168.2.5	0x97fc	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.331033945 CEST	1.1.1.1	192.168.2.5	0xcbba	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.344214916 CEST	1.1.1.1	192.168.2.5	0x973a	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.362076044 CEST	1.1.1.1	192.168.2.5	0x3422	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.374742985 CEST	1.1.1.1	192.168.2.5	0x6fbd	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.384471893 CEST	1.1.1.1	192.168.2.5	0x5f04	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.395787001 CEST	1.1.1.1	192.168.2.5	0xe884	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.407289982 CEST	1.1.1.1	192.168.2.5	0x46cb	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 17:32:02.417356014 CEST	1.1.1.1	192.168.2.5	0x374e	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.102.49.254	443	1892	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 15:32:03 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 15:32:03 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 15:32:03 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=e299054bf7b90f47f0cb1fd8; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 15:32:03 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 15:32:03 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	0
Start time:	11:32:00
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb80000
File size:	1'864'192 bytes
MD5 hash:	64B7A8116F8B1BC1984041382B79150F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	54
Total number of Limit Nodes:	7

Executed Functions

Function 00BC50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00BC5182

Strings

<I$), xrefs: 00BC52E3
@^, xrefs: 00BC5120
<I$), xrefs: 00BC5198

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 43e65da185654fcbc0346d128c2f1a17ad2a22c8f05d57a43626eb8fee92aed2
Instruction ID: 09e64392e29b03fdcda0a476cbede53e505ced8b162b4034bbb0daee62bf7047
Opcode Fuzzy Hash: 43e65da185654fcbc0346d128c2f1a17ad2a22c8f05d57a43626eb8fee92aed2
Instruction Fuzzy Hash: 66219D351093848FC300DF68D890B6AF7F4AB6A300FA9482CE1C5E7352EB36D955CB56

Function 00B8FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VY^_, xrefs: 00B8FDFF
J|BJ, xrefs: 00B9000D
V, xrefs: 00B8FEDC
t, xrefs: 00B8FCBE

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 7631f038be55bfea047f8c0f819d500837e84645631662b34b6633bf33bff8aa
Instruction ID: 5d50f154057bad4d543b684a01932153009558ba0468f906e588560c934bba39
Opcode Fuzzy Hash: 7631f038be55bfea047f8c0f819d500837e84645631662b34b6633bf33bff8aa
Instruction Fuzzy Hash: 4DD1767451D3919FD710EF14949062FBBE1EB92B48F1888ACF4C99B262D336CD09DB92

Function 00B8D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00B8D2F1

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bf8f9cacaf294342e815188ff9a7b2dd1428995483aae7cdd3a093e473122d1b
Instruction ID: 3118be876be3df77984b2f49956dcbf1c1b645433a36f3ecbe619c59275ff8f7
Opcode Fuzzy Hash: bf8f9cacaf294342e815188ff9a7b2dd1428995483aae7cdd3a093e473122d1b
Instruction Fuzzy Hash: 9F41127050D340ABC601BF68D598A2EFBE5EF52704F148C9DE5C4972A2C336D814DB67

Function 00BC5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00BC5784

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 59d9073753bd74bcf89bc0271f0851ad235ca2041465a3a251f2ad6471bb4b59
Instruction ID: 0616816b8b46e448287b64dcb1bb1623772054f1b88a6587d782e7ae0a91bee6
Opcode Fuzzy Hash: 59d9073753bd74bcf89bc0271f0851ad235ca2041465a3a251f2ad6471bb4b59
Instruction Fuzzy Hash: BB118C7591D640EBC311AF28E854E1BFBE5AF86B10F05886DE4C49B212D735E850CB93

Function 00BC5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00BC973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00BC5BDE

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00BC695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00BC69C5

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9a3edcd141732307c6d9f2593270d54bab0f005b345e512ff8c79bd6c2dfd794
Instruction ID: cfcb45cd6616d67b93ae1ffc2e3e1e45cf800d6602aa91b0cc578059cc081eb3
Opcode Fuzzy Hash: 9a3edcd141732307c6d9f2593270d54bab0f005b345e512ff8c79bd6c2dfd794
Instruction Fuzzy Hash: EA31A8B16083018FD718DF14C8A0B2AB7F1EF88344F58986DF5C6972A1E7389904CB66

Function 00B9049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c394e913eb1e53ccdb27cce42a310f1e73e03becf9202dee42503343923bb9
Instruction ID: d07e20f05b27cdf85d6ccd386efca73696d3b55103744163d08d232baceac005
Opcode Fuzzy Hash: e5c394e913eb1e53ccdb27cce42a310f1e73e03becf9202dee42503343923bb9
Instruction Fuzzy Hash: 9A917B75200B01CFD724CF25E894A26B7F6FF89310B118ABDE8568BAA1DB30F815CB50

Function 00B90228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453e27abc74121aae56f421a0325746e13e1536dfdfb341ccd316f4ed192d574
Instruction ID: 17f48b799ac6273a9e8d757685ce5e73f1b211950f33cddb414dd983fb4dd709
Opcode Fuzzy Hash: 453e27abc74121aae56f421a0325746e13e1536dfdfb341ccd316f4ed192d574
Instruction Fuzzy Hash: 9B716874201701DFDB248F25E894F26B7F6FF89714F1089BDE8968B662DB31A815CB60

Function 00BC99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2b86e5345bed9f03a715b27848ff248a0ad206683c832f0ed5ee3e0c0ad64d
Instruction ID: 1770ad20757e9a199d57fddfbd7b5590d82dae31952fc0f357140c88dc8bef97
Opcode Fuzzy Hash: 0c2b86e5345bed9f03a715b27848ff248a0ad206683c832f0ed5ee3e0c0ad64d
Instruction Fuzzy Hash: 27419C34209300ABE7249E15E894F2BF7E6EB85714F2488ACF58A97251D331EC01CB66

Function 00BC63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 236ffe2e57c10411036672e84a17e46c593246bdbdb0ae4bac89445191240c35
Instruction ID: 22827278d9b5023ac0d3cf189b58572772408cfdf822671432505c8bf8a41afb
Opcode Fuzzy Hash: 236ffe2e57c10411036672e84a17e46c593246bdbdb0ae4bac89445191240c35
Instruction Fuzzy Hash: C831D270649301BBD628DB08CD92F3AB7E5EB81B11F64855CF1C19B2E1D770AC118B56

Function 00B90EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bc6d66171b342edd88bce33c4ff9ad13ff7ceedf84b0bc7153b95155c9c7a5
Instruction ID: 0bdcc6f7a0057921525dca94c88e8f4ef467fef490d22581685328fed0bbe738
Opcode Fuzzy Hash: 50bc6d66171b342edd88bce33c4ff9ad13ff7ceedf84b0bc7153b95155c9c7a5
Instruction Fuzzy Hash: 3C2137B590021A9FEF15CF94CC90BBEBBB2FF4A304F144859E811BB292C735A901CB64

Function 00BC3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00BC32A6

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f9b5a2dbb9ea9c4fe41c60260778245b42cd97f4ef2cd1ecc224b5118c240f76
Instruction ID: 56df74ec7848c895f2332eab7670db35ce855130474bbc0249b9d6e41bd07be1
Opcode Fuzzy Hash: f9b5a2dbb9ea9c4fe41c60260778245b42cd97f4ef2cd1ecc224b5118c240f76
Instruction Fuzzy Hash: FB018B3050D2409BC700AB18E854E1AFBE8EF4AB00F45885CE4C48B321D635DC60CBA2

Function 00BC3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00BC3208

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1bf67efe1efce38745d98f239bc8937d458abb7e48f31da6e70501fb3c2dbdd1
Instruction ID: 42d061c8a2226d1bbb2c028c4ccae771e40de0bd8fdc9fe276af38a2532e7e24
Opcode Fuzzy Hash: 1bf67efe1efce38745d98f239bc8937d458abb7e48f31da6e70501fb3c2dbdd1
Instruction Fuzzy Hash: BFB012301400005FDA041B00EC0AF003610EB00605F800090A100050B1E5615C64C554

Non-executed Functions

Function 00B9DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

89>?, xrefs: 00B9E9F6
:WUE, xrefs: 00B9F6B7, 00B9F6C6
LKJI, xrefs: 00B9E6E6
mjkh, xrefs: 00B9E7D8
()./, xrefs: 00B9E9CA
tuJK, xrefs: 00B9E967
T, xrefs: 00B9F157
`Y^_, xrefs: 00B9E99E
dcba, xrefs: 00B9E728
DCBA, xrefs: 00B9E887, 00B9E896
tsrq, xrefs: 00B9E6FC
xgfe, xrefs: 00B9E71D
D, xrefs: 00B9E846
%*+(, xrefs: 00B9DE37, 00B9DE46
<=:;, xrefs: 00B9E930
lkji, xrefs: 00B9E73E
QNOL, xrefs: 00B9E775
`onm, xrefs: 00B9E733
<=2, xrefs: 00B9EA01
89&', xrefs: 00B9E93B
AR, xrefs: 00B9DD10
WP, xrefs: 00B9DCEF
@ONM, xrefs: 00B9E6DB
|, xrefs: 00B9ECB1

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 6a495a843dabae12fb6abb3fd303294d3b819dbc31dbedd627a5d106e0a8f5d5
Instruction ID: e9726d6afd30c04a198be9daed983f1e56a673b4b3a2b475c21133bcd2352034
Opcode Fuzzy Hash: 6a495a843dabae12fb6abb3fd303294d3b819dbc31dbedd627a5d106e0a8f5d5
Instruction Fuzzy Hash: FDF278B05093829BDB70CF14C484BABBBE6FFD5314F5448ADE4D98B251EB319984CB92

Function 00BB23E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

Cx, xrefs: 00BB453D
3<, xrefs: 00BB32D6
fedc, xrefs: 00BB2782
{l`~, xrefs: 00BB268C
:, xrefs: 00BB32DD
%*+(, xrefs: 00BB40EF
ggxz, xrefs: 00BB2685
aenQ, xrefs: 00BB276A
|}&C, xrefs: 00BB2F21
mlc@, xrefs: 00BB275C
`tii, xrefs: 00BB2693
f@~!, xrefs: 00BB25FF

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 1208f619779e1bf3a8a93ac523118cc23bb612ad67253110c77c6e6cdd8e0a1f
Instruction ID: 881a8cf8f296e3e1ba58927ce9ec0d2ab584c75ba26e2d1eead076e29a269e6f
Opcode Fuzzy Hash: 1208f619779e1bf3a8a93ac523118cc23bb612ad67253110c77c6e6cdd8e0a1f
Instruction Fuzzy Hash: 7533AB70504B818FD7258F38C590BA2BBE1FF16304F58899DE4DA8BB92C775E906CB61

Function 00BA9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

%e6g, xrefs: 00BAA152
=], xrefs: 00BAA36A
JG, xrefs: 00BAAA27
N[, xrefs: 00BAA375
WH, xrefs: 00BAAA1C
sm, xrefs: 00BAA830
Gt, xrefs: 00BA9FF8
?m,o, xrefs: 00BAA13C
(a*c, xrefs: 00BAA147
hi, xrefs: 00BAAB9D
]{, xrefs: 00BAA1E7, 00BAA1F3
kW, xrefs: 00BAA380
S], xrefs: 00BAA636
WQ, xrefs: 00BAA62B
/), xrefs: 00BAA66D
_Y, xrefs: 00BAA641
CG, xrefs: 00BAAA32

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: c749a10b2fbeaf0897e0c2ac0aeb21d5279b810c160d1074fb6050e787a2dd4f
Instruction ID: 9c8ac6bc4bc760f98b82a8b9aace026fa51854f0a2ffe8e6b0800d520261bd1f
Opcode Fuzzy Hash: c749a10b2fbeaf0897e0c2ac0aeb21d5279b810c160d1074fb6050e787a2dd4f
Instruction Fuzzy Hash: BB52C6B414D385CAE270CF25D581B8EBAF1BB92740F608A1DE1ED9B255DB708045CFA3

Function 00BA9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

X/R), xrefs: 00BA9AEB
!E4G, xrefs: 00BA9836
z=Q?, xrefs: 00BA9826
G+X5, xrefs: 00BA9AF3
?M0K, xrefs: 00BA9968
B?Q9, xrefs: 00BA9B0B
,A&C, xrefs: 00BA982E
2A"_, xrefs: 00BA9980
G'M!, xrefs: 00BA9ADB
L3Y=, xrefs: 00BA9B03
;IJK, xrefs: 00BA983E
O+f), xrefs: 00BA9634, 00BA963D
8;, xrefs: 00BA9B13
pq, xrefs: 00BA99E0
T#a-, xrefs: 00BA9AE3
B7U1, xrefs: 00BA9AFB

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: e944b75222e48431f42aaf69d09ca26a4fb96c2f0737eb327e173df3c24e232e
Instruction ID: 82430a64d50b49f3523e70291667dc5f412fe23addabdc5581f8f171ec961b80
Opcode Fuzzy Hash: e944b75222e48431f42aaf69d09ca26a4fb96c2f0737eb327e173df3c24e232e
Instruction Fuzzy Hash: D0F13EB4508380ABD310DF15D891A2BBBF4FB96B88F144D5CF4D99B252E334D908DBA6

Function 00BADD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

=]+_, xrefs: 00BAE276
,Q?S, xrefs: 00BAE26F
-M2O, xrefs: 00BAE25A
upH}, xrefs: 00BADE8A, 00BAE798, 00BADF4A
hX]N, xrefs: 00BADDC7
<Y.[, xrefs: 00BAE27D
n\+H, xrefs: 00BADDC0
Y9N;, xrefs: 00BAE245
)IgK, xrefs: 00BAE261
%*+(, xrefs: 00BAE143
{E, xrefs: 00BAE323

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: 7be869229686cbaf1fe970b9a948ee5b49468f7d433d0cefc13855939a0cb1b7
Instruction ID: fc8f07cfd5ce78045a08d5bd40ba8d560f62ecd832dac0230be1aea056ee9245
Opcode Fuzzy Hash: 7be869229686cbaf1fe970b9a948ee5b49468f7d433d0cefc13855939a0cb1b7
Instruction Fuzzy Hash: 3092E271E05205CFDB14CF68D8916AEBBF2FF4A310F2985A9E416AB391D7359D01CB90

Function 00D57179 Relevance: 11.6, Strings: 8, Instructions: 1579COMMON

Download Yara Rule

Strings

Wj5N, xrefs: 00D5845E
rv>}, xrefs: 00D57E7B
aPc, xrefs: 00D573BB
Ud7:, xrefs: 00D57A2F
&g, xrefs: 00D583D4
7E_, xrefs: 00D58058
"u}, xrefs: 00D583CE
F}}8, xrefs: 00D582FD

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: "u}$&g$7E_$F}}8$Ud7:$Wj5N$aPc$rv>}
API String ID: 0-2383018971
Opcode ID: 49550b40df204f84a297110feef8322c46b6fcbe6668e8e5876827619c3bd07f
Instruction ID: 8cd872ee07bcfce66a661b686261d3e46c55a13eddf8004bb03408152438bd7d
Opcode Fuzzy Hash: 49550b40df204f84a297110feef8322c46b6fcbe6668e8e5876827619c3bd07f
Instruction Fuzzy Hash: 04B2E4F390C6009FE304AE29EC8577ABBE5EF94720F16893DEAC4C3744EA3558458697

Function 00BA098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

{, xrefs: 00BA1502
9.5^, xrefs: 00BA0F9F
%*+(, xrefs: 00BA0A77, 00BA0A86
&> &, xrefs: 00BA0F89
cah`, xrefs: 00BA107E
,#15, xrefs: 00BA0F94
gce/, xrefs: 00BA1073
qrqp, xrefs: 00BA1089

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 5c4d0e8994414ddc6874c6d86129dde76bdf90181c4e0dba5b73aa1323eafd6e
Instruction ID: 28267ef06aa00ab49bd61c916fba1f665066c5a4a68b6b1a5384bb4b831a41ab
Opcode Fuzzy Hash: 5c4d0e8994414ddc6874c6d86129dde76bdf90181c4e0dba5b73aa1323eafd6e
Instruction Fuzzy Hash: 2962A8B56183818BD330DF18D891BABBBE1FF96314F084D6DE49A8B681E7359844CB53

Function 00B81000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00B822E1
gfff, xrefs: 00B82226
@, xrefs: 00B82C40
gfff, xrefs: 00B82297
0123456789abcdefxp, xrefs: 00B81587, 00B815F8
0123456789ABCDEFXP, xrefs: 00B8157D, 00B815EB
-, xrefs: 00B821ED

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 7d3f685c61742a98ebea93d3e59fdd046edd0e4d3d904e947765e1d882a78e00
Instruction ID: cbe486f41cb36e29a4610bc80a03646f3d6c5e9750c4b837bd8ac9c94a5d1213
Opcode Fuzzy Hash: 7d3f685c61742a98ebea93d3e59fdd046edd0e4d3d904e947765e1d882a78e00
Instruction Fuzzy Hash: F1D2F4716083418FD718DF28C49436ABBE2EFD5714F188AADE499C73A1D734D945CB82

Function 00D4618A Relevance: 10.4, Strings: 7, Instructions: 1682COMMON

Download Yara Rule

Strings

o7w, xrefs: 00D46319
:9+w, xrefs: 00D46AE7
-Ro, xrefs: 00D46B96
pX[R, xrefs: 00D46E4A
sv, xrefs: 00D46F32
5eZ^, xrefs: 00D463C0
c, xrefs: 00D4667D

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: -Ro$5eZ^$:9+w$o7w$pX[R$sv$c
API String ID: 0-4028509077
Opcode ID: 616a6b505c3b8cdd15132d01a33bea643661be2feced3da8025a2c0eff3c5cb8
Instruction ID: 00d07d752868d58e140782177faf8ca9d0c4fe8df20a3156295d7bd63111c0e7
Opcode Fuzzy Hash: 616a6b505c3b8cdd15132d01a33bea643661be2feced3da8025a2c0eff3c5cb8
Instruction Fuzzy Hash: D2B228F3A0C304AFE304AE2DEC8567ABBE9EF94720F16853DE6C4C7744E67558018696

Function 00D556BF Relevance: 9.1, Strings: 6, Instructions: 1621COMMON

Download Yara Rule

Strings

:R]w, xrefs: 00D55DCF
2j;, xrefs: 00D5658B
w)^%, xrefs: 00D5575B
rz, xrefs: 00D5605D
m.'/, xrefs: 00D5613A
Iz_, xrefs: 00D55FEC

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: 2j;$:R]w$Iz_$m.'/$w)^%$rz
API String ID: 0-1254057832
Opcode ID: 7338c055fce960ecf7b689bc61c7a1e04a0ed231de32a8103ea0ca5c18a4feb5
Instruction ID: 301ae9cfb84485f99be9c698c1768ea04ec1b5c9b0f479f86231c968399e0042
Opcode Fuzzy Hash: 7338c055fce960ecf7b689bc61c7a1e04a0ed231de32a8103ea0ca5c18a4feb5
Instruction Fuzzy Hash: 45B216F3A082009FE3086E2DEC8577ABBE9EFD4760F1A453DEAC487744E93558058796

Function 00D4CDEE Relevance: 9.1, Strings: 6, Instructions: 1588COMMON

Download Yara Rule

Strings

APq/, xrefs: 00D4E166
X9}, xrefs: 00D4CE84
CZww, xrefs: 00D4D4FC
Q--, xrefs: 00D4D549
b[, xrefs: 00D4D555
{p}, xrefs: 00D4DEF7

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: APq/$CZww$X9}$b[${p}$Q--
API String ID: 0-1776425320
Opcode ID: cfedb657dbf38aa5400a50c7cf9c08161349077f4e747a4ae79ecf16a4835cbd
Instruction ID: e03cc300211979d7de54e64c766d6e094e011ba3d74cfd4dda5bdc19a9c893ee
Opcode Fuzzy Hash: cfedb657dbf38aa5400a50c7cf9c08161349077f4e747a4ae79ecf16a4835cbd
Instruction Fuzzy Hash: B8B206F390C2009FE3046E29EC8566AFBE9EF94720F1A493DEAC4D3344E63598458697

Function 00B812F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

@, xrefs: 00B83531
0, xrefs: 00B81DC1
0, xrefs: 00B81E88
i, xrefs: 00B828EA
0, xrefs: 00B8243E

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 4baaee592145c3c976584f97271037b05dfcd7418745303dac9fb654a1ec44d5
Instruction ID: e4d497bf8cf663f484bec19804c79b20271b9f415a4cad48611634a26904adac
Opcode Fuzzy Hash: 4baaee592145c3c976584f97271037b05dfcd7418745303dac9fb654a1ec44d5
Instruction Fuzzy Hash: D762C07160D3818FC718EF28C49076ABBE1EF95304F188EADE8D9972A1D774D945CB82

Function 00B8164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

gfff, xrefs: 00B81F57
gfff, xrefs: 00B81F3C
0123456789abcdefxp, xrefs: 00B81659
0123456789ABCDEFXP, xrefs: 00B8164F
+, xrefs: 00B81573

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: b9f3854ff6c43131956478632540d7796eb333c25a485ccca54f5fb2a905c136
Instruction ID: cd3a6f8e34b4dd6a1ef55b3f9089a15cf51f299a3eef1074dd4c69f157ef9fc4
Opcode Fuzzy Hash: b9f3854ff6c43131956478632540d7796eb333c25a485ccca54f5fb2a905c136
Instruction Fuzzy Hash: 6CF1AF3160D3818FC719DF28C49466AFBE2AFD9304F188AADE4D987362D734D945CB92

Function 00B813A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

gfff, xrefs: 00B81F57
gfff, xrefs: 00B81F3C
-, xrefs: 00B81F23
0123456789abcdefxp, xrefs: 00B813AD
0123456789ABCDEFXP, xrefs: 00B813A3

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: e4d88610ddb5dcf4e5785c4bbea653e2e908c8c63c956a9a92ca4175e7ac7280
Instruction ID: fc5c10780a36f8ae24ce3e2484bb88ddc2bd964d524eb518c22d816578092996
Opcode Fuzzy Hash: e4d88610ddb5dcf4e5785c4bbea653e2e908c8c63c956a9a92ca4175e7ac7280
Instruction Fuzzy Hash: 3AD1BF3160D7818FC719DF29C48066AFBE2AFD9304F08CAADE4D987362D634D949CB52

Function 00D497DC Relevance: 6.6, Strings: 4, Instructions: 1610COMMON

Download Yara Rule

Strings

8Sw_, xrefs: 00D4A0DF
` ~], xrefs: 00D4A885
', xrefs: 00D4A748
%u^, xrefs: 00D4A36B

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: 8Sw_$` ~]$%u^$'
API String ID: 0-417534371
Opcode ID: 9423bf998f8d15acc3dbbc86afca4a61e243e8295bd2834e45c5cfa7815aa848
Instruction ID: 0437673a5c1278bd8bb864d855c9990e22330d271759346f8773139bab46e398
Opcode Fuzzy Hash: 9423bf998f8d15acc3dbbc86afca4a61e243e8295bd2834e45c5cfa7815aa848
Instruction Fuzzy Hash: 9CB216F3A0C2009FE308AF2DEC4567ABBE5EF94720F16893DE6C487744EA3558458697

Function 00D4EDEB Relevance: 6.3, Strings: 4, Instructions: 1346COMMON

Download Yara Rule

Strings

O, xrefs: 00D4F459
$}{, xrefs: 00D4F4C2
/#, xrefs: 00D4F9AF
+TaS, xrefs: 00D4F567

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: O$+TaS$/#$$}{
API String ID: 0-3645726534
Opcode ID: 280c3c1dcb3a19a22a827f4746d7aa1236b4ba6ac31083fe8fa57b75771b5e1b
Instruction ID: f7f7e43612a536b089ab597245e5f90d1ab7a2e88fb9c3218cfcbda236c8a8cf
Opcode Fuzzy Hash: 280c3c1dcb3a19a22a827f4746d7aa1236b4ba6ac31083fe8fa57b75771b5e1b
Instruction Fuzzy Hash: 96927AF3A082049FE3046E2DEC8567AFBE9EFD4320F1A463DEAC5C3744E97558058696

Function 00BAFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 00BAFE95
:, xrefs: 00BB0087
m1s3, xrefs: 00BAFEC3, 00BAFECB
NA_I, xrefs: 00BB036D

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 1eb1d575274c3ef14ed3afef6e367e6dc608e2356da5b97e01e6caeba9b42d2a
Instruction ID: f6b80c3aead44d6cc3c8d7b8e04c89d98109faa5585b16d99835d02e9212d01d
Opcode Fuzzy Hash: 1eb1d575274c3ef14ed3afef6e367e6dc608e2356da5b97e01e6caeba9b42d2a
Instruction Fuzzy Hash: E332A9B0519381DFD310EF28D890A6BBBE1EB8A300F144DACF5D58B2A2E775D905CB52

Function 00B93BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

p, xrefs: 00B93C80
%*+(, xrefs: 00B93EC4
;z, xrefs: 00B93C87
ss, xrefs: 00B93C79

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: b709478a83842ae8978f2236eee905873187e50d39726f2bbe6d7e5f0052c9b3
Instruction ID: eb5dec17e12b272bf2fb7a3acee77061875697288aa56dc9efcd08267080360e
Opcode Fuzzy Hash: b709478a83842ae8978f2236eee905873187e50d39726f2bbe6d7e5f0052c9b3
Instruction Fuzzy Hash: A5026DB4810B00DFD760EF24D986B56BFF5FB05700F50499DE89A8B695E330E815CBA2

Function 00D50565 Relevance: 5.4, Strings: 3, Instructions: 1659COMMON

Download Yara Rule

Strings

6ec, xrefs: 00D51185
^[z, xrefs: 00D50C4B
$+y, xrefs: 00D50818

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: ^[z$$+y$6ec
API String ID: 0-4279877658
Opcode ID: 988019a446ed9f958e2b9c9c79664a523eafd67802746777e2f6da8916c3d23e
Instruction ID: 1bcdae3ce4a758a85bfc10fdf6d75b48111c64fc76414db4165404ee08de70aa
Opcode Fuzzy Hash: 988019a446ed9f958e2b9c9c79664a523eafd67802746777e2f6da8916c3d23e
Instruction Fuzzy Hash: F7B229F360C2009FE7046E2DEC8567AFBE9EF94720F16493DEAC5C3744EA3598018696

Function 00BA2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

sj, xrefs: 00BA2327
a|, xrefs: 00BA2317
lc, xrefs: 00BA2507
hu, xrefs: 00BA232F

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 73ad51b4d1d22ff2b7603a83c76593256da1a28fe111d53d8be47e12869b5748
Instruction ID: 11d3a77886d8b3596cbcd21738c15c1d82616b3bf6b7346428dde2658280a759
Opcode Fuzzy Hash: 73ad51b4d1d22ff2b7603a83c76593256da1a28fe111d53d8be47e12869b5748
Instruction Fuzzy Hash: E4A18BB48083418BC720DF18C891A2BB7F0FFA6754F548A4CE8D59B391E739D945CB96

Function 00BAD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 00BAD9EA
CV, xrefs: 00BAD98B
KV, xrefs: 00BAD97D
T>, xrefs: 00BAD984

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 244f730c58e00da7c135e30345cca5452ed2ba72b25aa2744f40538f82c3fa86
Instruction ID: 41ea141b7714aa03c6ba6d17dc3a4251a5539430df4b43a907f7070732bcbacd
Opcode Fuzzy Hash: 244f730c58e00da7c135e30345cca5452ed2ba72b25aa2744f40538f82c3fa86
Instruction Fuzzy Hash: 528155B48057459BDB20DFA5D2851AFBFB1FF12300F604A4CE4866BA55C334AA55CFE2

Function 00BAAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

4c2a, xrefs: 00BAACA9
,{*y, xrefs: 00BAAD07, 00BAAD13
lk, xrefs: 00BAACBC
(g6e, xrefs: 00BAACA1

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: a0e60996bbcc1fcf47a6d7cc39852f6a9fdeedfd059654f6431c1a99767896c7
Instruction ID: 8e25578e0b18e544dce885ba96aaccffb9b37f0d7b71140436305d51155d2538
Opcode Fuzzy Hash: a0e60996bbcc1fcf47a6d7cc39852f6a9fdeedfd059654f6431c1a99767896c7
Instruction Fuzzy Hash: EC4196B4409382DBD7209F24D800BABB7F0FF86305F5499ADE5C897220EB31D944CBA6

Function 00BAC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 00BAC537
%*+(, xrefs: 00BAC9E4, 00BAC9ED
%*+(, xrefs: 00BAC8C3, 00BAC8CB

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 10fb47cc06296b9749f55723136fd8df9daeef6b840699fd6a517a5d3f698ef1
Instruction ID: a833dcc48586d55563f67b109173d7f9f735feb87d19064febbb1ad329a7b72d
Opcode Fuzzy Hash: 10fb47cc06296b9749f55723136fd8df9daeef6b840699fd6a517a5d3f698ef1
Instruction Fuzzy Hash: 3CE197B551D344EFE3209F68D881B2BBBE5FB86340F548C6DE58987251EB35D810CB92

Function 00B88590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 00B889F0
), xrefs: 00B88616
), xrefs: 00B8860C

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: e997916c3880be2b892e2f0369eb1497541900ce126dbb92f9278ea5b33f716f
Instruction ID: 99ab88ade9ffc8392ab2f757199c7568249d4fadf23cb42ab127420485a25c0d
Opcode Fuzzy Hash: e997916c3880be2b892e2f0369eb1497541900ce126dbb92f9278ea5b33f716f
Instruction Fuzzy Hash: 05E1F3B1A083029FD310EF28D88172ABBE0FF94314F54496DE595973A1DB75E914CBD2

Function 00BC4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BC40A4, 00BC40AD
f, xrefs: 00BC420C

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 6d7d4d802045209b75b6ed5eae166c4ff9d4fdd9137fafb6bd16dbea2012bc6b
Instruction ID: a909dbf7b1a7b4550a5cd6f4ff4438703bb234e424e8a8b356ed2e85730f0779
Opcode Fuzzy Hash: 6d7d4d802045209b75b6ed5eae166c4ff9d4fdd9137fafb6bd16dbea2012bc6b
Instruction Fuzzy Hash: 64128B716083419FC714CF18C8A0F2ABBE1FBC9314F188AADF4D59B291D735EA458B92

Function 00BBF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 00BBF6E6
dg, xrefs: 00BBF7F5

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 340789e25b91f4a395ed15ac2a42140755e50c864b0a5c75372b870af5f8a32d
Instruction ID: e0308493e0b44f08d86bceaa77529af9b0ca81c2a02b11a286ddfb419c06a8bc
Opcode Fuzzy Hash: 340789e25b91f4a395ed15ac2a42140755e50c864b0a5c75372b870af5f8a32d
Instruction Fuzzy Hash: 5DF19271618342EFE304CF24D891BAABBE6FB96344F148D6DF0858B2A1DB74D845CB12

Function 00B835B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00B83607
NaN, xrefs: 00B8360E

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: d4001ff940fee1fb7743fe71f51dfb51ea79ed1c909ece2a038ee4017b534655
Instruction ID: b325e6eda0656f6ad04b8d2be5418305ddedc115b7240836008e7cd0f1db4e35
Opcode Fuzzy Hash: d4001ff940fee1fb7743fe71f51dfb51ea79ed1c909ece2a038ee4017b534655
Instruction Fuzzy Hash: F1D1D571A183119BC708DF28C88061EBBE5EBC8F50F158A7DF999973A0E675DD05CB82

Function 00B9FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 00BA00F6
BaBc, xrefs: 00BA0197

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 36815dd44bfbedd0ea3cc02bc085e34883f4d96402c5f5e5322882b6c28fe843
Instruction ID: 994cfa59e9848cb831fe9a7700e9c4535d61c0990f34cdd4ecbc9da32cbc63a2
Opcode Fuzzy Hash: 36815dd44bfbedd0ea3cc02bc085e34883f4d96402c5f5e5322882b6c28fe843
Instruction Fuzzy Hash: AF51CAB16183858BC731EF14C881BABB7E0FF97320F08499DE49A9B651E3749940CB57

Function 00D48907 Relevance: 1.9, Strings: 1, Instructions: 643COMMON

Download Yara Rule

Strings

%1mo, xrefs: 00D48CC0

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %1mo
API String ID: 0-2657052308
Opcode ID: a50245a98435e09f189b9cc221338d31d8eb459879b7fd06d717f5fc3b92d927
Instruction ID: f6683df2865952014dc496a8a3d4238eb93e9e92172afdb92ee310c53e30127c
Opcode Fuzzy Hash: a50245a98435e09f189b9cc221338d31d8eb459879b7fd06d717f5fc3b92d927
Instruction Fuzzy Hash: 121212F360C200AFE3046E29EC8566EBBE9EF98360F16493DE6C5C3744EA355841C697

Function 00B85160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00B854C8

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: de96c411af98c575dc9eb1556b5ca94a91cf91940e1eacca95b8f6f9e729c4d6
Instruction ID: 4bd6c3008205903e21453c948bd39ec6d71ab2d44e55373c20429f3eb247168a
Opcode Fuzzy Hash: de96c411af98c575dc9eb1556b5ca94a91cf91940e1eacca95b8f6f9e729c4d6
Instruction Fuzzy Hash: 9222B3B6A08B428BE735AE18D980726BBE2EFE0314F1DC5ADD8594B361E771DC44C742

Function 00BB12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00BB15D1

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: abd65b5439d41c6fb08d7dfbb96fd9afbb79e11d2f861a6549000aa6cee4f813
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 66F10571A083415FC724CE29C8A06BBBBE5EFC5350F588DADE89A87382D674DD05C792

Function 00BAAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BAB2D3, 00BAB2DB

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: fb1f9f1f6c5ed594b491be007f4b08c1ca03710b48b7de68e04070b456d28bec
Instruction ID: cca01253fe5965f4ba78f15f344ee1113c110b07c552bc2b02b537d939ce942f
Opcode Fuzzy Hash: fb1f9f1f6c5ed594b491be007f4b08c1ca03710b48b7de68e04070b456d28bec
Instruction Fuzzy Hash: 72E1E93150C306DBC724EF28C89096EF7E2FF9A781F24895CE4D587221E731A959CB92

Function 00B96EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00B96EF3

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 9bb7874a9243c220a6bfd84b9ac09e3a514d4188ec19b782205c6e6b9315c8e4
Instruction ID: 5cd87214f2d201c6ae738d1120c41a252b49f04b200b0302af85bb29e3faec2e
Opcode Fuzzy Hash: 9bb7874a9243c220a6bfd84b9ac09e3a514d4188ec19b782205c6e6b9315c8e4
Instruction Fuzzy Hash: AFF18FB5A00A02CFCB24DF24D891A26B7F6FF58314B1489BDE497876A1EB34F815CB51

Function 00BA7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BA8263, 00BA826B

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f09350dc8450ccd367fd9cc8fc13f78d2d7da9ecec858f43f68fee8bf41aef25
Instruction ID: f65054506db2d2b7ebd2a12334780a95c02699bca762cbd7c674e681f7b06bb0
Opcode Fuzzy Hash: f09350dc8450ccd367fd9cc8fc13f78d2d7da9ecec858f43f68fee8bf41aef25
Instruction Fuzzy Hash: 24C19E7190C300ABD720AF14D882A2BB7F5EF96754F08889CF8C59B651E735ED15CBA2

Function 00BA8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BA9233, 00BA923B

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 256c4abe8ba9f652bfd3b55b5e238c8d8a00b1a5a7eb4e0c7f4bc3af195dde75
Instruction ID: c8c75ea4985543ea6779d1c9b1496434c3f9faf055f0ce097063a5cfccea8b9b
Opcode Fuzzy Hash: 256c4abe8ba9f652bfd3b55b5e238c8d8a00b1a5a7eb4e0c7f4bc3af195dde75
Instruction Fuzzy Hash: BCD1AE70619302DFD704DF64D8A0B2AB7E6FF89304F5948BEE88687251EB35E950CB51

Function 00BC7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00BC8167

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 21a1f4f8537bdabc4fdbb0f71f9cc3397431ef7d9fcf416cb02ee3e9499a5829
Instruction ID: 0c78526b69bd99081893e9203377ec4025060843f039b79b5c854789fe494eb2
Opcode Fuzzy Hash: 21a1f4f8537bdabc4fdbb0f71f9cc3397431ef7d9fcf416cb02ee3e9499a5829
Instruction Fuzzy Hash: 9FD1C4729082658FC725CE189890B2EB7E1EB85718F19867CE8B5AF380DB71DC46C7D1

Function 00BACCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BACDC3, 00BACDCB

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 9533ddb9857bbea6cf544a7d6e43c7b3e3763dfcda06c64b291c2f8e93b4e632
Instruction ID: 6d4f6eaf5ebea5025651312c184faff9df5077f5379708eaeefdec8fda5beedd
Opcode Fuzzy Hash: 9533ddb9857bbea6cf544a7d6e43c7b3e3763dfcda06c64b291c2f8e93b4e632
Instruction Fuzzy Hash: 22B1DD7060D3059FD724EF18D890B2BBBE2EF96340F1449ACE5C58B251E735E855CBA2

Function 00B8A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00B8A9C3

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: b21c1a359137508d27b66744e5d0224b4c81e4a26a4e40b6f6542c9e3ff61705
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 5AB1387020C3819FD324DF18C88061BBBE1AFA9704F448A6DF5D997352D675EA18CB67

Function 00BBFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BBFCA4, 00BBFCAD

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 570f05e6c19734295336296b90796827b640855140350bd29c2e53c57a0b5e03
Instruction ID: f6c38a885e908f392fd1929939fe7308e347151041d722635fe49d746ec6e796
Opcode Fuzzy Hash: 570f05e6c19734295336296b90796827b640855140350bd29c2e53c57a0b5e03
Instruction Fuzzy Hash: A081AA7060A302ABD720DF68DC84B7AB7E5FB99701F14886DF58497291EB71E814CB62

Function 00B9D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00B9D663, 00B9D66B

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5bbe6ad83505f87ecece600dd70179812b78fbac717933bd5f3cf68d853b9eb5
Instruction ID: 98ac35cdd2057ba77081bcb702babe27fb4b59218317ce3b7c21dc6cf012718f
Opcode Fuzzy Hash: 5bbe6ad83505f87ecece600dd70179812b78fbac717933bd5f3cf68d853b9eb5
Instruction Fuzzy Hash: FB61F3B1909304DBDB10EF59DC92A2AB3F0FFA5354F0909ADF9899B261E731D910C792

Function 00BC4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BC4C33, 00BC4C3B

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 2db3a0986b9176ab9acd58f633e07a625c03bbbc6644942151456d6b1de6ff6f
Instruction ID: a02a328012cb8ea3d127666cacd8254777dc05e9488f1612ee0c77c21b9c3f20
Opcode Fuzzy Hash: 2db3a0986b9176ab9acd58f633e07a625c03bbbc6644942151456d6b1de6ff6f
Instruction Fuzzy Hash: F561DE716093019BD720DF25D8A0F2AFBE6EBC4314F28899DE9C5872A1D771EE40CB52

Function 00C2D04F Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

oHWw, xrefs: 00C2D0DC

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: oHWw
API String ID: 0-118737725
Opcode ID: 6d1b332c1a16143b69ae1d9a716ae753b9418e2758a2752b0079258cb2c9cd2a
Instruction ID: 0d168d0a66b5eeb367bc82b5376bc021198858d12c430de3a3c7a5a13ff62ee0
Opcode Fuzzy Hash: 6d1b332c1a16143b69ae1d9a716ae753b9418e2758a2752b0079258cb2c9cd2a
Instruction Fuzzy Hash: 0751E4F39186005BE3146E2DEC5477ABBD9EFD4320F1B093DEAD8D7380E93988018696

Function 00B8E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00B8E333

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: b5a886ddf588388ec76043829fb3e0a74074dd558c6392290347b7ee9e3157be
Instruction ID: fea58199eb22e17d2cc5670180fcf2ce0940fb40826c8a07228269479527f91e
Opcode Fuzzy Hash: b5a886ddf588388ec76043829fb3e0a74074dd558c6392290347b7ee9e3157be
Instruction Fuzzy Hash: 17512823B196A04BD325A93C4C952697AC70BE6334B3DC7A9E9F58B3F1D555CC01C350

Function 00CB51F9 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

%?m, xrefs: 00CB5327

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %?m
API String ID: 0-2943181182
Opcode ID: 98894cfa70cba0eff691693a845f215ee03973c369cec662c2191521889eaefe
Instruction ID: 4147c88d5090f3b4291aa11348800af7284c57d867b3e324686215285b8144e0
Opcode Fuzzy Hash: 98894cfa70cba0eff691693a845f215ee03973c369cec662c2191521889eaefe
Instruction Fuzzy Hash: 1C4112F3B142046BF308992DEC65737B6CADBD8720F2A813EA68AC7784E8795C054295

Function 00BC3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BC39E3, 00BC39EB

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0eb5e98f26e1167902f062ad2aad33f9db28574431d887acce969c92d5654074
Instruction ID: b26a6888eceaa797ddf8d72c5ca60807c53fbae33bdcc8a75b1ac07a7b6991df
Opcode Fuzzy Hash: 0eb5e98f26e1167902f062ad2aad33f9db28574431d887acce969c92d5654074
Instruction Fuzzy Hash: 5A517C306092409BCB24DF15D990F2EFBE5EB89B44F58C89DE4C687251D772EE20CB62

Function 00D34A1A Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

q9YW, xrefs: 00D34AC3

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: q9YW
API String ID: 0-1191961776
Opcode ID: 5455ef154cfb3e8cfc128632ab60950e7615c3dbf03a7ddd24224bfea093b85c
Instruction ID: aa78e1068613d1cbbfb83c88aac754b88d6f6327fd58ae0db391548fefa4086b
Opcode Fuzzy Hash: 5455ef154cfb3e8cfc128632ab60950e7615c3dbf03a7ddd24224bfea093b85c
Instruction Fuzzy Hash: 22416BF3F186141BF318493DED85766B686EBD4360F2B433EEA89A37C1E8761C064185

Function 00B91BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00B91C3E

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 5b00c1ba168aa5e007e91bfd03a9080836efce04be3cc37b73920718e18660e3
Instruction ID: c97b9fb745654048c9aa2de5a1a15c858f596cf2e28de40abf575a43bf7970f0
Opcode Fuzzy Hash: 5b00c1ba168aa5e007e91bfd03a9080836efce04be3cc37b73920718e18660e3
Instruction Fuzzy Hash: 504142B4008381ABCB149F28D894A2BBBF0FF86354F048E6DF5C59B291E736C915CB56

Function 00BBFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00BC0033, 00BC003B

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 038ec5de2e0f5fdf28f9c11a29776c0c9cdf6bc0cbaa1b4e1ff46f60593b6c7b
Instruction ID: 55e0b78d38e28d039b6018076cc6607ecafa68ab6fd3c4a5e856939e8de43953
Opcode Fuzzy Hash: 038ec5de2e0f5fdf28f9c11a29776c0c9cdf6bc0cbaa1b4e1ff46f60593b6c7b
Instruction Fuzzy Hash: C831D0B1A18309EBD610FB14EC81F3BB7E9EB85748F5548ACF88487252E631DC14C7A2

Function 00BAE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00BAE6A2

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 0e9e0142ceab1c1d62a09d175d05b6313edc1af932c84cfd104a2cf2b487d7fd
Instruction ID: 6bc7fc920d5303970526a68603bdf222b348bf1f391ef0a4d08cf82e28edfbba
Opcode Fuzzy Hash: 0e9e0142ceab1c1d62a09d175d05b6313edc1af932c84cfd104a2cf2b487d7fd
Instruction Fuzzy Hash: EA31C3B5905204DFC720DF98E8A05AFFBF5FB06304F5408A9E456AB201D735ED05CBA1

Function 00B96F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00B9703B

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 47803abbf2af3213edd7cbe0effeea75c19fba990bd6292a56f006d5412a73bc
Instruction ID: 25c805b5b19c2b639999226b62645046cc6299e30f7bf9e27f4cc0505a507a5a
Opcode Fuzzy Hash: 47803abbf2af3213edd7cbe0effeea75c19fba990bd6292a56f006d5412a73bc
Instruction Fuzzy Hash: 51415971215B04DBDB358F61D994F26BBF2FB09701F2488ACE5869B6A1EB31F8008B10

Function 00BAE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00BAE6A2

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 895053e0ae6a93b4ef9d46feb88bd054b128c56ad28bbd280427777e5fdd983d
Instruction ID: 6bcafc8c7b72f1c1f9280b56ae6c101d15234b20cac699581750bb52063b3b05
Opcode Fuzzy Hash: 895053e0ae6a93b4ef9d46feb88bd054b128c56ad28bbd280427777e5fdd983d
Instruction Fuzzy Hash: 5221BCB1A05204DFC720DF98E8A0A6FBBF5FB0A700F540899E446AB241D735ED01CBA2

Function 00BC9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00BC9D30

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 26de91772cde399e7c8165ad56803710e81e2a9ffd35b9ba3449f51500fcee60
Instruction ID: 952fa37d79ed1e75d7082c353ce277ae8d201ceea9cbae4a98c7ad4d49aebcdc
Opcode Fuzzy Hash: 26de91772cde399e7c8165ad56803710e81e2a9ffd35b9ba3449f51500fcee60
Instruction Fuzzy Hash: 913178705093449BE310DF14D884B2AFBF9EF9A314F24996CE5C6A7251D335D904CBA6

Function 00B94E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71f20e77e190bb0770290e68d94fb74cb361526676fad9938f96dc58a7781ae
Instruction ID: 27f82826908629d576f1de74421d305e0f8efa0e86f887953c84f74921408884
Opcode Fuzzy Hash: c71f20e77e190bb0770290e68d94fb74cb361526676fad9938f96dc58a7781ae
Instruction Fuzzy Hash: 9A6238B0500B009BDB36CF24D990B26BBE6AF59704F5489ACD49A87A52E734F844CBA5

Function 00B8BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 36b5d78bb98645010a65d7222cd5d5506a737594927857da20ccb57fc996de09
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 0C523B715087118BC725EF18E4802BAF7E1FFD4319F298A7DD9C6932A0E734A851CB96

Function 00BC8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65444942a2e67c41f9e4eb960f62f11e6d2550e526a3955daec0e92479ee1b57
Instruction ID: 5a14f49202315771a73334f82b0cfbb2a5f00f021e40ca392bd903393ec860e3
Opcode Fuzzy Hash: 65444942a2e67c41f9e4eb960f62f11e6d2550e526a3955daec0e92479ee1b57
Instruction Fuzzy Hash: 0722BC35609341DFD704DF68E8A0A2AFBE1FB89315F0988AEE5C997351EB35D850CB42

Function 00BC86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e557d9a90f22ddf11d33bff43e8f65b630f6c0c29a5106d1e7491633aa8ada
Instruction ID: 5b59ec50107cfa1d0d18dfdd8e0946e8141aa04867b294957193a12603b991ad
Opcode Fuzzy Hash: c7e557d9a90f22ddf11d33bff43e8f65b630f6c0c29a5106d1e7491633aa8ada
Instruction Fuzzy Hash: D222AA35609341DFD704DF68E8A0A1AFBE1FB8A315F09896EE5C987351EB35E850CB42

Function 00B8B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4645cc37f35ad1d10d5cc5935720ac9a118123019bf284361379415a522e61
Instruction ID: f55c7702f04031939c839c14b13ffbf410e7197ac82d6740b1c57ff959b275c5
Opcode Fuzzy Hash: 4c4645cc37f35ad1d10d5cc5935720ac9a118123019bf284361379415a522e61
Instruction Fuzzy Hash: 6352F970908B848FE735EB34C494BA7BBE2EF91314F144CADC5D606BA2C779A885CB51

Function 00B871F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e220a37763a04f8400d6cf15967d8c4e47134eb5b24eb799ddd8f3b7ec87a845
Instruction ID: fc027fa1c7b1d66135b58da1fb37a39fd008f5ca9406d82ef8efa14b68014468
Opcode Fuzzy Hash: e220a37763a04f8400d6cf15967d8c4e47134eb5b24eb799ddd8f3b7ec87a845
Instruction Fuzzy Hash: 7C52E23150C3458FCB15DF29C0D06AABBE1FF89318F298AADE89957361DB34D949CB81

Function 00B88FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702bcd38f2216555360462229854c211e521433141ac047221b4eb3dae2c8328
Instruction ID: f9581a5dd283edafb15e5c008aa5cec4dfa4253e16a677d6740082a86880f1e5
Opcode Fuzzy Hash: 702bcd38f2216555360462229854c211e521433141ac047221b4eb3dae2c8328
Instruction Fuzzy Hash: 61424575608342DFDB18CF28D850B6ABBE1BF88315F09886DE4958B3A1DB35D985CF42

Function 00B87BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9919c81f17b266fd5c7132f2f6fcff561e6d688cfc351ce58d47afbecc3681b3
Instruction ID: cc9f48961ff4afb2f62b8f8b4e978a36d4fcbb1d4ec953a4cc3c72b5b09d3ea3
Opcode Fuzzy Hash: 9919c81f17b266fd5c7132f2f6fcff561e6d688cfc351ce58d47afbecc3681b3
Instruction Fuzzy Hash: F1322270514B118FC368EF29C590526BBF2FF45714BA04AAED6A787BA0DB36F845CB10

Function 00BC89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3b37acebdaf7d32be34b4d4ac2e7107a27e4053b8958748e64378605dbf6a2
Instruction ID: 97e8de7166eb2a758646913386af0bd678184778acd6935bf34ba467121d82aa
Opcode Fuzzy Hash: 8c3b37acebdaf7d32be34b4d4ac2e7107a27e4053b8958748e64378605dbf6a2
Instruction Fuzzy Hash: D802A935609241DFD704DF68E890A1AFBF1EF8A315F0989AEE4C987361D736D814CB92

Function 00BC8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a860899061d9227cb4384d91f38db3cf3380ccd952ae86f3591facc4a820126e
Instruction ID: 8383054f1c3dfec30e541b5a0c461a2217815f6337eafa758493342f13263fd0
Opcode Fuzzy Hash: a860899061d9227cb4384d91f38db3cf3380ccd952ae86f3591facc4a820126e
Instruction Fuzzy Hash: D4F1983560D380DFD704EF68E890A1AFBE1EF8A315F09896DE4C987251D736D910CB92

Function 00BC8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e84f3df91d4cdd1119097fd01cb327f813f07939e448da2152b678acfdef02
Instruction ID: c4b5f57eb00561f3dd8ee663e3243aab4012ebab982b78773b51523e9bcccd07
Opcode Fuzzy Hash: a8e84f3df91d4cdd1119097fd01cb327f813f07939e448da2152b678acfdef02
Instruction Fuzzy Hash: 3DE1BD31619341CFD704DF28E890A2AFBE1FB8A315F09896DE4D987351E736E910CB92

Function 00B8A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 7e8bea396033ed03e8af300adbcb616676679a14fbe976ec0644561581bb5415
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: F0F1BD766083418FD724DF29C88166BFBE6EFD8300F08886DE4D587761E639E945CB62

Function 00BC8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8b75bf8784d67421ec294ed4d937a14ce4eaafd9b06f36110b2f084a517de2
Instruction ID: dd4e7bf8da4c10eeeef6bfc59fffbebd879ae13cd4e283af26d84eed3492903d
Opcode Fuzzy Hash: de8b75bf8784d67421ec294ed4d937a14ce4eaafd9b06f36110b2f084a517de2
Instruction Fuzzy Hash: 37D19A3461D280DFD705EF28D894A2EFBF5EB8A315F0989ADE4C587251DB36D810CB92

Function 00B94487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e3cca8203bc0e3eb349730785f02d8c05917f5a42164cf931df45133a1c02c
Instruction ID: 5f0fea5af10332fb5ce9a52315c20211d98714e09541718b7387640417938d6d
Opcode Fuzzy Hash: d1e3cca8203bc0e3eb349730785f02d8c05917f5a42164cf931df45133a1c02c
Instruction Fuzzy Hash: 14E1E2B5501B008FD725CF28D992B97B7E1FF06708F0488ADE4AA87762EB35B815CB54

Function 00BC6CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df66f2fda53f7617dd0752d19bcb02bb128f6dbed5e16f0e31d7192adc74653
Instruction ID: 65891ea4c6624271fa7c2f390ba2a0a2f45ea63016d8e187b8f6edf1d0c41cd7
Opcode Fuzzy Hash: 6df66f2fda53f7617dd0752d19bcb02bb128f6dbed5e16f0e31d7192adc74653
Instruction Fuzzy Hash: 51D1E236619355CFC724CF38D890A2AFBE1EB89314F094A6ED495C73A2E734DA44CB91

Function 00BC7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad5a80b063f94449ecfc9676f7090b964cbefd65fd16e5650da0c28a85e2521
Instruction ID: 65e6906903e9831a11f892cf83bd3cf6ed2521ab1531dec1a8ad20870b6e1978
Opcode Fuzzy Hash: aad5a80b063f94449ecfc9676f7090b964cbefd65fd16e5650da0c28a85e2521
Instruction Fuzzy Hash: A4B127B2A4C3514BD714DA28CC81B6BB7E9EBC4314F0449BDE999D7391EE35DC048B92

Function 00B8AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: b66e53763ba67b713282bf4072f78b689c6c0df5789a1dec0854e75ba1537ac8
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: D5C18DB2A187418FC360DF28DC96BABB7E1FF85318F08492DD1D9C6252E778A155CB06

Function 00B96536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80f7ece38609c4f05c8b63d5e91da0ea29cc3468e92abad53a7f4f684cb2a4f
Instruction ID: 5e3db0716a3c6c624e123e7d20afb30fc5c2b7a8a3a257858d87bbab5af89671
Opcode Fuzzy Hash: f80f7ece38609c4f05c8b63d5e91da0ea29cc3468e92abad53a7f4f684cb2a4f
Instruction Fuzzy Hash: D3B110B4600B008BC7258F24C981B67BBF1EF56704F1488ADE8AA8BB52E735F805CB54

Function 00BC7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 282c260164616dab28b6d6b19dfd283b3ff98e762086ebf48b0f843943401a43
Instruction ID: 5a59db8d3446cccdf67c520a5795e959feb11a91e54cf2a0443afa1763b8f79b
Opcode Fuzzy Hash: 282c260164616dab28b6d6b19dfd283b3ff98e762086ebf48b0f843943401a43
Instruction Fuzzy Hash: 83919B71649301ABEB20DB15D880FABBBE5EB85350F54889DF99497351EB30E940CFA2

Function 00BCA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dacf53ad8c0bc2912468af4aaea1417c3cb7d89f383019db73df8208be63ad
Instruction ID: f6dbbdf6f2a562c1435c0c71185ed7a0f61d4cf96e3773a99a35bcea01a38d3e
Opcode Fuzzy Hash: 53dacf53ad8c0bc2912468af4aaea1417c3cb7d89f383019db73df8208be63ad
Instruction Fuzzy Hash: 47819C342093498FD724DF28D890F2AB7E5EF89748F5589ACE586CB251E731EC10CB92

Function 00BB64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e931ed12eb8153642bae755c9f74fae70245ba32e68d4f586efba6abe6e74b
Instruction ID: 2742956daf1f1c8b385e8bc466cc15d56598ac5e004f2169c167f670fc050b80
Opcode Fuzzy Hash: 31e931ed12eb8153642bae755c9f74fae70245ba32e68d4f586efba6abe6e74b
Instruction Fuzzy Hash: 7D71B633B299904BC3249D7D4C853F5AB835BE6334B3D83B9E9B5CB3E5D9694C064250

Function 00BA28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7ac5b54fd13cd89c7c45c54aae8d471cac0bc1c99c9c44e5699ffca9de9428
Instruction ID: 25a4a7f80dafbb2f3ddc2b001be55c8c2d7e4598f3c27bdcee9f3e8e3bbfe2f4
Opcode Fuzzy Hash: df7ac5b54fd13cd89c7c45c54aae8d471cac0bc1c99c9c44e5699ffca9de9428
Instruction Fuzzy Hash: C36166B441C3509BD310AF18E891A2BBBF0EFA6750F08899DF4C59B261E379D910CB66

Function 00BA7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82a71dfa700c975fc1824b6037a26c1371c448cdeeecf368af84de3968626fd
Instruction ID: 1a761a6dfd27e6de8b245da1303e8e9b8c68fc60be21abb1b81982472d1a2943
Opcode Fuzzy Hash: a82a71dfa700c975fc1824b6037a26c1371c448cdeeecf368af84de3968626fd
Instruction Fuzzy Hash: 8651B0B164C204ABDB209B24DC92B7737F4EF86364F148598F9858B291FB75DC05C761

Function 00E230EF Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cd5e7e0cf21140f651fbd470cbc70e0ad1cfb9c52d6db6dd5c91598b97369c
Instruction ID: c83904ec94d8bee70ec89353274671c55a13cb55e3755a7d2f1fce253929c911
Opcode Fuzzy Hash: d9cd5e7e0cf21140f651fbd470cbc70e0ad1cfb9c52d6db6dd5c91598b97369c
Instruction Fuzzy Hash: 696129B360D120DFD308AA38EC417BAB7E6EB94710F25852DE6C6A3744E9395A109B47

Function 00BB1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: ce2e8b78a7df797f297908cc3fba71ee13e65539f2cff02080e8f28f57e876f2
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 9F619D31609341ABD714CE2CC9A07BEBBE2EBC5350FA4CDADE4D98B251D2B0ED859741

Function 00BB82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9569c2b4297cdd4cab92dcf2e6fdc7ba42b27569bed6daf5819b3d46aaccd09
Instruction ID: 66c07d177d06d636e8c0cbf479a8c3a3b0c98c881b7a3d41734032b962760e75
Opcode Fuzzy Hash: b9569c2b4297cdd4cab92dcf2e6fdc7ba42b27569bed6daf5819b3d46aaccd09
Instruction Fuzzy Hash: 4E612923A5A9914BC325493C5C953F66AC75BE6330F3EC3E6E8B58B3E4CDA94801C341

Function 00C07955 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf6c01ad31a3fb14e6a73c94d24f36e5183043deac36fb962f6d432cb74933b
Instruction ID: cca48f0f595934c336459122fee240085ea7e7fbd02546fb6d08c4107c88a9a3
Opcode Fuzzy Hash: 7bf6c01ad31a3fb14e6a73c94d24f36e5183043deac36fb962f6d432cb74933b
Instruction Fuzzy Hash: 3961C5B3E082109BE7146E2DDC453BABBD5EF94320F1A453DDAD8D7780E97A981487C2

Function 00B942FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ccbd16066e8893e08fe75601d2d228362e9f496e5517b2bf94d4665f69aa89
Instruction ID: 28f0e91199ad5b3533e6db29062970b6dc94d8976a3cf53836829160b5340121
Opcode Fuzzy Hash: 93ccbd16066e8893e08fe75601d2d228362e9f496e5517b2bf94d4665f69aa89
Instruction Fuzzy Hash: 7B81E6B4810B00AFD360EF39D947797BEF4AB06601F404A6DE4EA97694E7306459CBE3

Function 00BBE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 52bd7fdc8d2814185379200923afb6cb91292a0e3d1a61e67cc5fa671688ba92
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: AC517CB15083448FE314DF29D4943ABBBE1BB85318F044E2DE4E983351E379D6088F82

Function 00CA53CD Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8700795a2b80efad2e608c81e1894a3a32ecdd557dee19feba649545bd918ac
Instruction ID: 1300d6e510ad24e951b4a8c35904269d1516e2d00d91a4c4608844c79396dfc1
Opcode Fuzzy Hash: f8700795a2b80efad2e608c81e1894a3a32ecdd557dee19feba649545bd918ac
Instruction Fuzzy Hash: 9D5138F3A083009FE3045E2ADCC572ABBD5EFD4320F5B863DEAC487794D97958468296

Function 00E14371 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cc42c16163181176e7b7a94b3731ab527e8bf60343033306ab31c3ba03bfa0
Instruction ID: c909e75ffede47517862459b6e31ec74c40ff8327a34cf295177849a5efde944
Opcode Fuzzy Hash: a5cc42c16163181176e7b7a94b3731ab527e8bf60343033306ab31c3ba03bfa0
Instruction Fuzzy Hash: BB51D3F391C220DFD3116A59EC807FAB7E5EB94720F26453DEAD6A7380E67108C19692

Function 00BC7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94791c46d10dc27d0d87a1a2e9114089d07cc7e45cc3d70128c153f6b4cafbc4
Instruction ID: f2cc49979824db14c104ba243731812ef17ea0c75ad40e6790fb49b3a4cf7df9
Opcode Fuzzy Hash: 94791c46d10dc27d0d87a1a2e9114089d07cc7e45cc3d70128c153f6b4cafbc4
Instruction Fuzzy Hash: EA51153164D204ABC7159E18DC90F2EF7E6FB85354F288A6CE8E597391DB31EC108BA1

Function 00B85A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a287d337da62136a7cd639f74211e7eb8ae3816b40671c96331780b968798ff3
Instruction ID: 3c9ffd1822c8d0fb4329d4e436cf0df3573d4a3b2cb75da5e7d73eaf2542387a
Opcode Fuzzy Hash: a287d337da62136a7cd639f74211e7eb8ae3816b40671c96331780b968798ff3
Instruction Fuzzy Hash: 1651C1B5A047049FC724EF14D890926BBE1FF89324F1546ACE8999B362D631EC42CB92

Function 00BAEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dc123494c6b2443b8ec06403b495005ac2a7adb218b01da9303407487f8d5f
Instruction ID: a33a799f3a507b84e9ae3fadf9faf23fca1824611a99f5cca69102f6e7c4ae6f
Opcode Fuzzy Hash: 87dc123494c6b2443b8ec06403b495005ac2a7adb218b01da9303407487f8d5f
Instruction Fuzzy Hash: D5419E74900315DBDF208F98DCA1BADB7F0FF0A350F144599E995AB3A0EB38A951CB91

Function 00BC9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3c85c25631224effb83dd3d883c5950ae3f4e98c428a1eb494c3d4379cec16
Instruction ID: fa4957e9f369ca814ad68592762a772ed82a8bdd3cc7ceed8537b2d35cc54c19
Opcode Fuzzy Hash: 2d3c85c25631224effb83dd3d883c5950ae3f4e98c428a1eb494c3d4379cec16
Instruction Fuzzy Hash: 7B418D34209300ABE724DF15D994F2BFBEAEB85714F6488ACF58997251D335EC00CBA6

Function 00B92030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efde41dec115ef454ecfe47996d0c2d5501b488eaf2592ecfa1c90d55af3712d
Instruction ID: 3f32b3af08a6f56f276645837d2142959a1d8facdc58d472c02e950f6ff81d20
Opcode Fuzzy Hash: efde41dec115ef454ecfe47996d0c2d5501b488eaf2592ecfa1c90d55af3712d
Instruction Fuzzy Hash: C641F632A083655FD75CCF2AC49463ABBE2ABC5300F09867EE4DA873D4DA748945DB81

Function 00B91E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc82f0facc365fc8d9be63c8c76eb6fe4298a03dcbd80798313cdcbdf37e0a08
Instruction ID: 327c511ab52b28e3937b53c85f126f750a06218b38eb94ac38c393c0a65b7103
Opcode Fuzzy Hash: fc82f0facc365fc8d9be63c8c76eb6fe4298a03dcbd80798313cdcbdf37e0a08
Instruction Fuzzy Hash: 1A41F174508380ABD720AB58C884B2EFBF5FB8A354F144D6DF6C497292C376E8149F66

Function 00BC8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55845a5a9633ab831a111502547175ea449480b0530746b05c937074a9cc432
Instruction ID: 51a3127b5498dbb9a6431f971e3c3e5fc58cecbe4bd0767e36beacc2d29872dc
Opcode Fuzzy Hash: a55845a5a9633ab831a111502547175ea449480b0530746b05c937074a9cc432
Instruction Fuzzy Hash: C041CF3160C2548FC304DF68C490A2EFBE6EF99300F098AAED4D6D72A1DB74DD018B92

Function 00B9D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ef1302741e79bd7c738c9747ab2f83ff9b37e6ff2031cb064983d4eca1c2ad
Instruction ID: a0d9b1b148af1f1a6caaa55b19b2a9cf7afc7ce0b3dc70bb57b7548ae83e3a8b
Opcode Fuzzy Hash: d0ef1302741e79bd7c738c9747ab2f83ff9b37e6ff2031cb064983d4eca1c2ad
Instruction Fuzzy Hash: AB418BB15093818BD730AF15C891BABB7F0FFA6364F0409A9E58A8B7A1E7744940CB57

Function 00BBF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: cb1a9a9993c4e764c3f590a5f67e063f5afbe03098174bb339229a9af3d6ecc5
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 8B2137329082254BC324EF2DC88167BF7E4EB99704F46867ED8C4A72A5E3759C10C7E1

Function 00BC67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3dac1963fe65c6c0ee95e75aac1501869a377d27ac74bfb965dac05233582e
Instruction ID: 75df19740bddfb4703415cc96a92ad8bb50bb63aa57ded3b5bd3a6d5e004e654
Opcode Fuzzy Hash: 6b3dac1963fe65c6c0ee95e75aac1501869a377d27ac74bfb965dac05233582e
Instruction Fuzzy Hash: 8F3134705183829AD714CF14C4A0A2FFBF0EF96784F50584DF4C8AB262D738D985CB9A

Function 00BA5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136509d6349c2194b290cdd8e05833b7a530a75ae207bafc90275cb181878b6
Instruction ID: 27704b394947b5858651570759a125f31bc22939421987bd90e6cffdc935931b
Opcode Fuzzy Hash: e136509d6349c2194b290cdd8e05833b7a530a75ae207bafc90275cb181878b6
Instruction Fuzzy Hash: A221AEB0509201DFD320AF28C85196BBBF4EF92764F44895CF4D99B292E335CA00CBA3

Function 00B849A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 89e9d35a6c7508da71062becc5682ed5ec450f23fc45b8b95381beea8b957457
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 3931EA31648202DFD714AF58D8C0A2BB7E1EF84358F1889BDE89A8B261D331DC42CB46

Function 00BC64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514ce0e0a1f85099b31181e1e03cb9018cc5a2ce509e27fbf70f61a7bbb63101
Instruction ID: 0897d91454a11d06a50a2ffdffffb5c65b302d988265d73f138283e05f7660f7
Opcode Fuzzy Hash: 514ce0e0a1f85099b31181e1e03cb9018cc5a2ce509e27fbf70f61a7bbb63101
Instruction Fuzzy Hash: 6021737460C2409BC718EF19D8A0E2EFBE2FB95742F28885CE4C593362D734AC51CB66

Function 00BBB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5255f7dd16aedf3632c8a8bed6eeb46b3f13346be61f04a1608d70d07248df62
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: C711C633A051D40FC3168D3C84409B5FFE35AA3234B5943D9E4B59B2D2D7A28D8A9354

Function 00BB0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 574d194757ab4afd37247eb29d2496121efa5499a55d525bc83db3f7026ac847
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 590175F5A1030147EB30BE54A4D1B7BB6E8EF54718F1845ACD40A57201DBB5EC05C7A1

Function 00BAD1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f621f87ab97f2b9971cf907d530fab942942cdb6d1ae186cc9e51abc24f687
Instruction ID: 78e2ad119e5f8357c4346213468702e3d4850331269b3bc6c08fe11c27718359
Opcode Fuzzy Hash: 61f621f87ab97f2b9971cf907d530fab942942cdb6d1ae186cc9e51abc24f687
Instruction Fuzzy Hash: BE11ECB0418380AFD310AF61C494A2FFBE5EBA6714F148C4DF6A59B251C379E819CF56

Function 00B86EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47cc28cc47327dacab4b37c9879e1db698f607514b450dd9b5cc5da082251b1
Instruction ID: 4cdbd428989a573e74f579856401ba2ba648e809c5f35292eb91f53c2af3092b
Opcode Fuzzy Hash: c47cc28cc47327dacab4b37c9879e1db698f607514b450dd9b5cc5da082251b1
Instruction Fuzzy Hash: 11F0B43AB1921A0BA210DDABE884C3BB3D6D7D9355F145538EA41D3211DE72E8069291

Function 00BBB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00B9C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00B9B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 9d0df39c015c8a2471d0ef5e6f608e7e9e9a6c8ee0819212715ad862575daf8b
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: D3F0ECB1A0451067DF228A94ACC0F37BBDCCB87354F1904B6E84557303D2A15845C3E5

Function 00BB8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c70e44462fbf6f7c845decd805f997a76f476fec84f7208465b70dab887b3f
Instruction ID: cdb1675524d0a9f7a35830d3fb64fde81db6834ffb8547d0d229ba37945c7e28
Opcode Fuzzy Hash: 02c70e44462fbf6f7c845decd805f997a76f476fec84f7208465b70dab887b3f
Instruction Fuzzy Hash: C401EFB4410B009FC360EF29C845B4BBBE8EB08714F008A1DE8AECB680D770A5488B82

Function 00BC1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 6c6c2b5a68ad1bf51021673b1e4b3a1df6e81cf1be31ae2834c1af7968a92e98
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: AAD05E31608321469B688E1DA400A77F7E0EA87B12B49999EF586E3249D230DC41C6A9

Function 00B91ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6defb1cb8a3d548aa44ac912d0fa08f5d215c73eb3b75a789841c26c1d866a32
Instruction ID: ba3ef7807559c1ce362e48ab30d6879c5d46b290da02911bfcf81da02d313012
Opcode Fuzzy Hash: 6defb1cb8a3d548aa44ac912d0fa08f5d215c73eb3b75a789841c26c1d866a32
Instruction Fuzzy Hash: F3C08C34A590028BC208CF04FCE5832B7F9A30B308750707ADA03F3321DF30C8069909

Function 00BC6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf485d1e3e1cced687cce04aaa493f4d744d556ae1bb449ffee100e43653ad3c
Instruction ID: d4e5e92f10a56bd63cf39ca61c3cbe1c885fc9349ccfc783414573c11a2ef4b3
Opcode Fuzzy Hash: bf485d1e3e1cced687cce04aaa493f4d744d556ae1bb449ffee100e43653ad3c
Instruction Fuzzy Hash: 23C09B3465D04587924CCF04D961975F3F69B97F1C724B05FC80623257D534D512951D

Function 00B91A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbed0e8e7dd76185ceef0b332170409d86ff9121d4cb9dc7d9cf120d6692c653
Instruction ID: 0195bff3915a69aaaa4f29a122d5cfe6dd42514bb31fe103709789496682ac68
Opcode Fuzzy Hash: dbed0e8e7dd76185ceef0b332170409d86ff9121d4cb9dc7d9cf120d6692c653
Instruction Fuzzy Hash: DDC09B34E99042CBC64CCF8AE8E1831A7FD530B208710347A9713F7361C960D4059509

Function 00BC5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054879363.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.2054862133.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000D68000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054914788.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055129971.0000000000E8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055238467.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6211e41f60fdb955cba2cf05c75e1a84032c74b0825145bde6cf1a5b63a2e370
Instruction ID: 12c08953fb4ecaef8efb35f54699099f36afde8c372829fbc10e9579d7e35bf5
Opcode Fuzzy Hash: 6211e41f60fdb955cba2cf05c75e1a84032c74b0825145bde6cf1a5b63a2e370
Instruction Fuzzy Hash: AAC09224B6A0018BA28CCF18DD61935F3FA9B8BE1CB14B02FC806A3257E934D512860D

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 00BC50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00B8FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00B8D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00BC5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00BC5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00BC695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00B9049B Relevance: .3, Instructions: 264
COMMON

Function 00BC3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00BC3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON