Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1529360
MD5:	0d807d16e7731b2dd9cb3048b3a13f14
SHA1:	bbb157924fdaa9990df2254d740495c95f15c1c8
SHA256:	08643496ffbec35a84e902dbdbfe27b8b1043d66627dec62d3c6a2f0de76111c
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0D807D16E7731B2DD9CB3048B3A13F14)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "studennotediw.storec", "spirittunek.storec", "licendfilteo.sitec", "dissapoiznw.storec", "eaglepawnoy.storec", "bathdoomgaz.storec", "mobbipenju.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:05.673642+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49714	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:05.673642+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49714	104.21.53.8	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.709604+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.6	51109	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.635907+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.6	56997	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.679483+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.6	53279	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.668267+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.6	60343	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.731879+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.6	61521	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.655613+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.6	53377	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.720654+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.6	52865	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T22:32:02.691045+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.6	54230	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.5960.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "studennotediw.storec", "spirittunek.storec", "licendfilteo.sitec", "dissapoiznw.storec", "eaglepawnoy.storec", "bathdoomgaz.storec", "mobbipenju.store"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004F63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_004F695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004F99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_004BFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_004C0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_004F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_004B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_004C6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_004EF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004F6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_004DD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_004D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_004BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_004F1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004CD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_004DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_004CB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_004F64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004D9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_004F7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_004B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004EB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_004F7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_004F67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_004D28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004CD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_004F3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_004B49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_004F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_004B5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004C1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004C1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_004F9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_004C1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_004C3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_004E0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_004DEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_004D7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_004EFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_004F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_004DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_004DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_004DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_004DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004D7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004D5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_004C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_004C1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_004B6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_004C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_004BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004D9F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004EFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_004CFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004F5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_004B8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_004C6F91

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:53279 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:54230 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:61521 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:52865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:51109 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:60343 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:53377 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:56997 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.storec
Source: Malware configuration extractor	URLs: spirittunek.storec
Source: Malware configuration extractor	URLs: licendfilteo.sitec
Source: Malware configuration extractor	URLs: dissapoiznw.storec
Source: Malware configuration extractor	URLs: eaglepawnoy.storec
Source: Malware configuration extractor	URLs: bathdoomgaz.storec
Source: Malware configuration extractor	URLs: mobbipenju.store

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3bec567ad78964e101629a82; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 08 Oct 2024 20:32:04 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.u
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900IF
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C0228	0_2_004C0228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F4040	0_2_004F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027	0_2_00639027
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B1000	0_2_004B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007	0_2_0062E007
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C2030	0_2_004C2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FA0D0	0_2_004FA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154	0_2_005A4154
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B5160	0_2_004B5160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B71F0	0_2_004B71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067F184	0_2_0067F184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BE1A0	0_2_004BE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E82D0	0_2_004E82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E12D0	0_2_004E12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B12F7	0_2_004B12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BA300	0_2_004BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BC327	0_2_005BC327
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E23E0	0_2_004E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B13A3	0_2_004B13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BB3A0	0_2_004BB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DC470	0_2_004DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E64F0	0_2_004E64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C4487	0_2_004C4487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C049B	0_2_004C049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CC5F0	0_2_004CC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8590	0_2_004B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B35B0	0_2_004B35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B164F	0_2_004B164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8652	0_2_004F8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EF620	0_2_004EF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F86F0	0_2_004F86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D6AE	0_2_0067D6AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068269F	0_2_0068269F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BA850	0_2_004BA850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E1860	0_2_004E1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EB8C0	0_2_004EB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068C8AF	0_2_0068C8AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EE8A0	0_2_004EE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006879CA	0_2_006879CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066F9CC	0_2_0066F9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D098B	0_2_004D098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F89A0	0_2_004F89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F4A40	0_2_004F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00613A5C	0_2_00613A5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00584AC2	0_2_00584AC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8A80	0_2_004F8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7AB0	0_2_004F7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CDB6F	0_2_004CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00685B04	0_2_00685B04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B7BF0	0_2_004B7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8C02	0_2_004F8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DCCD0	0_2_004DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00680CA9	0_2_00680CA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6CBF	0_2_004F6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068AC9E	0_2_0068AC9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D8D62	0_2_004D8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068FD33	0_2_0068FD33
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFD10	0_2_004DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DDD29	0_2_004DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DAE57	0_2_004DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F8E70	0_2_004F8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C4E2A	0_2_004C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6EBF	0_2_004C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BBEB0	0_2_004BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BAF10	0_2_004BAF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F7FC0	0_2_004F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8FD0	0_2_004B8FD0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004CD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004BCAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9991555796204621
Source: file.exe	Static PE information: Section: ozuzauxt ZLIB complexity 0.9943338877436282

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E8220 CoCreateInstance,

0_2_004E8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1877504 > 1048576

Source: file.exe

Static PE information: Raw size of ozuzauxt is bigger than: 0x100000 < 0x1a0e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.4b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ozuzauxt:EW;ytfcriws:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ozuzauxt:EW;ytfcriws:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1cd145 should be: 0x1cc6dd

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: ozuzauxt
Source: file.exe	Static PE information: section name: ytfcriws
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B075 push edx; mov dword ptr [esp], edi	0_2_0070B0A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B075 push esi; mov dword ptr [esp], ebx	0_2_0070B0E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740047 push 6D01DCE5h; mov dword ptr [esp], ebp	0_2_0074009B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740047 push 64E0DDCCh; mov dword ptr [esp], ebp	0_2_007400A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push 4693473Ah; mov dword ptr [esp], edi	0_2_00639094
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push ecx; mov dword ptr [esp], 51F38AB1h	0_2_00639109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push edx; mov dword ptr [esp], ecx	0_2_00639122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00639027 push ebx; mov dword ptr [esp], edx	0_2_00639166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051700C push 4D05D28Eh; mov dword ptr [esp], edi	0_2_0051701A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push ecx; mov dword ptr [esp], eax	0_2_0062E092
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 1AD169D8h; mov dword ptr [esp], ebp	0_2_0062E09F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push ecx; mov dword ptr [esp], ebx	0_2_0062E117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 6818DB30h; mov dword ptr [esp], edx	0_2_0062E1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 2404245Eh; mov dword ptr [esp], ecx	0_2_0062E1DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push 68EDDB47h; mov dword ptr [esp], esp	0_2_0062E22B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push edx; mov dword ptr [esp], edi	0_2_0062E283
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E007 push edi; mov dword ptr [esp], edx	0_2_0062E287
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631009 push 1CC71398h; mov dword ptr [esp], esi	0_2_00631071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00631009 push 07FADA7Ch; mov dword ptr [esp], edx	0_2_0063108B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007060E5 push 18A9FF50h; mov dword ptr [esp], esp	0_2_0070612A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push 43423898h; mov dword ptr [esp], eax	0_2_00962049
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push eax; mov dword ptr [esp], ecx	0_2_00962089
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push edx; mov dword ptr [esp], 5D7516ADh	0_2_009620DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push esi; mov dword ptr [esp], edi	0_2_00962109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962031 push eax; mov dword ptr [esp], 7EDF8732h	0_2_00962117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 65A6466Ah; mov dword ptr [esp], ecx	0_2_005A4198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 4660C1A0h; mov dword ptr [esp], ebx	0_2_005A41BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push 273572B0h; mov dword ptr [esp], ecx	0_2_005A41E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4154 push ebp; mov dword ptr [esp], edi	0_2_005A4261
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096218D push edx; mov dword ptr [esp], eax	0_2_009621CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096218D push ebx; mov dword ptr [esp], 7C2DF0D9h	0_2_009621E9

Source: file.exe	Static PE information: section name: entropy: 7.966805914787849
Source: file.exe	Static PE information: section name: ozuzauxt entropy: 7.954408538139141

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513CE1 second address: 513CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FB3 second address: 694FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FBB second address: 694FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694FC6 second address: 694FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694036 second address: 69403C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69403C second address: 69404B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69404B second address: 69408A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F59A4B60A32h 0x00000013 jmp 00007F59A4B60A1Dh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694237 second address: 694290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45084h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F59A4B4507Fh 0x00000010 popad 0x00000011 push edi 0x00000012 jnp 00007F59A4B45076h 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F59A4B4507Eh 0x00000022 jp 00007F59A4B45076h 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jnc 00007F59A4B45086h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69459F second address: 6945A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6945A5 second address: 6945A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6945A9 second address: 6945BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007F59A4B60A16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F59A4B60A16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69473D second address: 694743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694743 second address: 694747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694747 second address: 69475B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696ECF second address: 696ED9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696ED9 second address: 696EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696EDE second address: 513CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 1EBA13FBh 0x0000000e or dword ptr [ebp+122D25DBh], ebx 0x00000014 push dword ptr [ebp+122D0019h] 0x0000001a mov dword ptr [ebp+122D25DBh], eax 0x00000020 call dword ptr [ebp+122D1907h] 0x00000026 pushad 0x00000027 jmp 00007F59A4B60A23h 0x0000002c xor eax, eax 0x0000002e jnl 00007F59A4B60A1Ch 0x00000034 mov dword ptr [ebp+122D1ACDh], esi 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e pushad 0x0000003f call 00007F59A4B60A23h 0x00000044 mov eax, dword ptr [ebp+122D2C91h] 0x0000004a pop ecx 0x0000004b sub dword ptr [ebp+122D1BB2h], esi 0x00000051 popad 0x00000052 mov dword ptr [ebp+122D2C35h], eax 0x00000058 pushad 0x00000059 mov ax, EDDDh 0x0000005d adc di, 6200h 0x00000062 popad 0x00000063 mov esi, 0000003Ch 0x00000068 xor dword ptr [ebp+122D1BB2h], edx 0x0000006e add esi, dword ptr [esp+24h] 0x00000072 stc 0x00000073 lodsw 0x00000075 jo 00007F59A4B60A17h 0x0000007b clc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 mov dword ptr [ebp+122D1BB2h], edx 0x00000086 js 00007F59A4B60A1Ch 0x0000008c sub dword ptr [ebp+122D1BB2h], ebx 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 jno 00007F59A4B60A1Dh 0x0000009c push eax 0x0000009d pushad 0x0000009e pushad 0x0000009f push eax 0x000000a0 push edx 0x000000a1 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 696F32 second address: 696F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697157 second address: 69715B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69715B second address: 697169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697169 second address: 69716D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69716D second address: 697171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697171 second address: 697177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697177 second address: 69717D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69717D second address: 697181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8BA6 second address: 6B8BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8BAA second address: 6B8BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F59A4B60A1Ah 0x0000000d jnc 00007F59A4B60A2Eh 0x00000013 pushad 0x00000014 je 00007F59A4B60A16h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B69F3 second address: 6B6A06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F59A4B4507Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A06 second address: 6B6A0B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A0B second address: 6B6A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45081h 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A2E second address: 6B6A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A34 second address: 6B6A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A39 second address: 6B6A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6A3E second address: 6B6A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6CF7 second address: 6B6D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F59A4B60A1Fh 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E4A second address: 6B6E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E4F second address: 6B6E5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F59A4B60A16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6E5A second address: 6B6E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F59A4B45076h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B76C4 second address: 6B7700 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F59A4B60A20h 0x00000008 pop edx 0x00000009 jmp 00007F59A4B60A1Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F59A4B60A27h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7700 second address: 6B7704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7704 second address: 6B7717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F59A4B60A16h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B7717 second address: 6B771F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B82C4 second address: 6B82CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8490 second address: 6B8496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8617 second address: 6B861C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8780 second address: 6B8786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8A67 second address: 6B8A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B8A6B second address: 6B8A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BC1D0 second address: 6BC1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F59A4B60A16h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF702 second address: 6BF706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BFB36 second address: 6BFB3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BE543 second address: 6BE548 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1907 second address: 6C190B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C190B second address: 6C1911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F8A1 second address: 68F8A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F8A7 second address: 68F8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FAD second address: 6C6FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FB1 second address: 6C6FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FB7 second address: 6C6FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F59A4B60A16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C6FC3 second address: 6C6FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7420 second address: 6C7431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59A4B60A16h 0x00000009 jl 00007F59A4B60A16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7431 second address: 6C7439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7439 second address: 6C743F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C75C7 second address: 6C7602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Dh 0x00000007 jmp 00007F59A4B45089h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F59A4B45081h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7602 second address: 6C7610 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B60A18h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C7610 second address: 6C7639 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F59A4B45076h 0x00000011 jmp 00007F59A4B45083h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9CE0 second address: 6C9CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9D64 second address: 6C9D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9D68 second address: 6C9DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 jmp 00007F59A4B60A29h 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 ja 00007F59A4B60A32h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F59A4B60A28h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9DCD second address: 6C9DF4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59A4B4507Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B45081h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9DF4 second address: 6C9E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F59A4B60A28h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F59A4B60A18h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 adc edi, 747A53AAh 0x0000002c push 138D89DDh 0x00000031 pushad 0x00000032 push ecx 0x00000033 pushad 0x00000034 popad 0x00000035 pop ecx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9E43 second address: 6C9E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CA8E5 second address: 6CA8EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CAD58 second address: 6CAD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CAE1E second address: 6CAE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F59A4B60A16h 0x0000000a popad 0x0000000b jl 00007F59A4B60A28h 0x00000011 jmp 00007F59A4B60A22h 0x00000016 popad 0x00000017 push eax 0x00000018 jo 00007F59A4B60A2Eh 0x0000001e pushad 0x0000001f jmp 00007F59A4B60A20h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68079B second address: 6807C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B4507Dh 0x00000008 jmp 00007F59A4B4507Bh 0x0000000d push edi 0x0000000e pop edi 0x0000000f jng 00007F59A4B45076h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCAC second address: 6CBCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCB0 second address: 6CBCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCB4 second address: 6CBCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CBCBA second address: 6CBCC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CF07C second address: 6CF081 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0567 second address: 6D056B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D056B second address: 6D0577 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0577 second address: 6D057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D057C second address: 6D0582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0582 second address: 6D0586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0586 second address: 6D05B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a sub ecx, dword ptr [ebp+122DBDD3h] 0x00000010 mov edx, dword ptr [ebp+122D1A7Ch] 0x00000016 popad 0x00000017 push 00000000h 0x00000019 sub dword ptr [ebp+124587E6h], esi 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D2D51h] 0x00000027 push eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D05B3 second address: 6D05C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B4507Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0FE2 second address: 6D0FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1C35 second address: 6D1C9C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F59A4B45078h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F59A4B45078h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 push 00000000h 0x00000044 mov dword ptr [ebp+122D17CAh], ebx 0x0000004a mov edi, dword ptr [ebp+122D233Ch] 0x00000050 xchg eax, ebx 0x00000051 pushad 0x00000052 je 00007F59A4B45078h 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c push edx 0x0000005d pop edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D35FF second address: 6D3609 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F59A4B60A16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5F80 second address: 6D5F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5F84 second address: 6D5F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1954 second address: 6D195A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D921A second address: 6D9220 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA1C7 second address: 6DA23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B45088h 0x00000008 jmp 00007F59A4B45087h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 pushad 0x00000012 jmp 00007F59A4B4507Ch 0x00000017 mov esi, dword ptr [ebp+122D325Ah] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 cmc 0x00000021 push 00000000h 0x00000023 jmp 00007F59A4B4507Eh 0x00000028 xchg eax, esi 0x00000029 pushad 0x0000002a je 00007F59A4B45084h 0x00000030 jmp 00007F59A4B4507Eh 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA23E second address: 6DA242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA242 second address: 6DA250 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA250 second address: 6DA254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA254 second address: 6DA25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA366 second address: 6DA36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA36A second address: 6DA370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA370 second address: 6DA376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA376 second address: 6DA37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA37A second address: 6DA37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA43C second address: 6DA440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA440 second address: 6DA455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DD1E8 second address: 6DD254 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59A4B4507Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F59A4B45078h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 or di, D900h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F59A4B45078h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F59A4B45081h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB57D second address: 6DB586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB586 second address: 6DB58A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB58A second address: 6DB598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DB598 second address: 6DB5A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE287 second address: 6DE28B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE28B second address: 6DE299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F59A4B4507Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E0347 second address: 6E034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E034D second address: 6E03BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F59A4B45081h 0x0000000a popad 0x0000000b nop 0x0000000c stc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F59A4B45078h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+1247C0C9h] 0x0000002f push 00000000h 0x00000031 jne 00007F59A4B45082h 0x00000037 xchg eax, esi 0x00000038 jnc 00007F59A4B4507Ah 0x0000003e push eax 0x0000003f pushad 0x00000040 pushad 0x00000041 jno 00007F59A4B45076h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E03BC second address: 6E03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DE44E second address: 6DE454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DF51B second address: 6DF520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E34D1 second address: 6E34DB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E05F3 second address: 6E05FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E34DB second address: 6E3551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add bh, 0000004Bh 0x0000000f push 00000000h 0x00000011 xor edi, dword ptr [ebp+122D2B4Dh] 0x00000017 xor bh, FFFFFFE2h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F59A4B45078h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 sbb ebx, 2F464C63h 0x0000003c xchg eax, esi 0x0000003d jmp 00007F59A4B45085h 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F59A4B4507Bh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E2670 second address: 6E2675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E457E second address: 6E4584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4584 second address: 6E4588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4588 second address: 6E45B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e nop 0x0000000f add dword ptr [ebp+12456E72h], ebx 0x00000015 push 00000000h 0x00000017 mov bx, 8FBEh 0x0000001b push 00000000h 0x0000001d adc di, 07DCh 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 push edx 0x00000027 pop edx 0x00000028 pop edi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E7F75 second address: 6E7F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E7F7B second address: 6E7F85 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B4507Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD35 second address: 6ECD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD40 second address: 6ECD44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ECD44 second address: 6ECD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a jmp 00007F59A4B60A1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F59A4B60A16h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC6E9 second address: 6EC6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC82C second address: 6EC830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC830 second address: 6EC85A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F59A4B45086h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F59A4B45076h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC85A second address: 6EC85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFB5C second address: 6EFBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F59A4B45087h 0x0000000e jmp 00007F59A4B45081h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 jg 00007F59A4B45086h 0x0000001e pop eax 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 pushad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 jc 00007F59A4B45076h 0x0000002b popad 0x0000002c jmp 00007F59A4B45081h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFBC0 second address: 6EFBC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFBC6 second address: 6EFBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F59A4B45076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFD9F second address: 6EFDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFDA3 second address: 6EFDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F59A4B4507Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFDBC second address: 6EFDF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F59A4B60A27h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFEAF second address: 6EFEB9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFEB9 second address: 6EFECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F7A0B second address: 6F7A15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F810F second address: 6F8115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8115 second address: 6F8119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8119 second address: 6F8127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F59A4B60A16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8127 second address: 6F813A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F813A second address: 6F8140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8140 second address: 6F8144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F8144 second address: 6F816A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F59A4B60A36h 0x0000000e jnc 00007F59A4B60A18h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F59A4B60A1Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCE5 second address: 6FBCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCEF second address: 6FBCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCF4 second address: 6FBCFE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F59A4B4507Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCFE second address: 6FBD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD0E second address: 6FBD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD12 second address: 6FBD16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD16 second address: 6FBD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBD1C second address: 6FBD37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F59A4B60A16h 0x0000000b jmp 00007F59A4B60A1Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 700DE9 second address: 700E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45083h 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jl 00007F59A4B4507Eh 0x00000016 jc 00007F59A4B45076h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007F59A4B45076h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706D19 second address: 706D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70596B second address: 705994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F59A4B45076h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F59A4B45089h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705E90 second address: 705EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F59A4B60A1Bh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F59A4B60A22h 0x00000014 jmp 00007F59A4B60A21h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705EC8 second address: 705ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705ECE second address: 705ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7062E6 second address: 7062FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59A4B45076h 0x00000008 jmp 00007F59A4B4507Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7064A9 second address: 7064C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F59A4B60A26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706779 second address: 70677E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70677E second address: 706788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7054E4 second address: 705511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F59A4B4507Eh 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F59A4B45080h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BBFA second address: 70BBFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BBFE second address: 70BC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B30 second address: 6C8B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B3C second address: 6C8B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8B4D second address: 513CE1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movsx ecx, dx 0x0000000c push dword ptr [ebp+122D0019h] 0x00000012 or ecx, dword ptr [ebp+122D1839h] 0x00000018 mov edx, dword ptr [ebp+122D17B9h] 0x0000001e call dword ptr [ebp+122D1907h] 0x00000024 pushad 0x00000025 jmp 00007F59A4B60A23h 0x0000002a xor eax, eax 0x0000002c jnl 00007F59A4B60A1Ch 0x00000032 mov dword ptr [ebp+122D1ACDh], esi 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c pushad 0x0000003d call 00007F59A4B60A23h 0x00000042 mov eax, dword ptr [ebp+122D2C91h] 0x00000048 pop ecx 0x00000049 sub dword ptr [ebp+122D1BB2h], esi 0x0000004f popad 0x00000050 mov dword ptr [ebp+122D2C35h], eax 0x00000056 pushad 0x00000057 mov ax, EDDDh 0x0000005b adc di, 6200h 0x00000060 popad 0x00000061 mov esi, 0000003Ch 0x00000066 xor dword ptr [ebp+122D1BB2h], edx 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 stc 0x00000071 lodsw 0x00000073 jo 00007F59A4B60A17h 0x00000079 clc 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e mov dword ptr [ebp+122D1BB2h], edx 0x00000084 js 00007F59A4B60A1Ch 0x0000008a sub dword ptr [ebp+122D1BB2h], ebx 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 jno 00007F59A4B60A1Dh 0x0000009a push eax 0x0000009b pushad 0x0000009c pushad 0x0000009d push eax 0x0000009e push edx 0x0000009f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8C6D second address: 6C8C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8C85 second address: 6C8C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8F38 second address: 6C8F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95B3 second address: 6C95C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B60A16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F59A4B60A16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95C8 second address: 6C9631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F59A4B45078h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D1BCCh], esi 0x00000028 and dx, EDDDh 0x0000002d push 0000001Eh 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F59A4B45078h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 xor dword ptr [ebp+122D25DBh], edi 0x0000004f nop 0x00000050 jnc 00007F59A4B4507Ah 0x00000056 push eax 0x00000057 pushad 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C994B second address: 6C9951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9A36 second address: 6C9A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9A3C second address: 6AFE78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F59A4B60A16h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D3A97h], edx 0x00000013 lea eax, dword ptr [ebp+124883DFh] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F59A4B60A18h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D318Bh] 0x00000039 push eax 0x0000003a js 00007F59A4B60A1Eh 0x00000040 push esi 0x00000041 jnl 00007F59A4B60A16h 0x00000047 pop esi 0x00000048 mov dword ptr [esp], eax 0x0000004b mov dword ptr [ebp+1247C712h], esi 0x00000051 call dword ptr [ebp+122D1AF2h] 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jbe 00007F59A4B60A16h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AC64 second address: 70AC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B4507Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AC9C second address: 70ACA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACA0 second address: 70ACB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jo 00007F59A4B450BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACB3 second address: 70ACBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ACBD second address: 70ACD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B4507Eh 0x0000000d jne 00007F59A4B45076h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8D43 second address: 6C8DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A1Ah 0x00000009 popad 0x0000000a xor dword ptr [esp], 24DE73ABh 0x00000011 call 00007F59A4B60A24h 0x00000016 jmp 00007F59A4B60A28h 0x0000001b pop ecx 0x0000001c call 00007F59A4B60A19h 0x00000021 jmp 00007F59A4B60A26h 0x00000026 push eax 0x00000027 jmp 00007F59A4B60A1Dh 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push esi 0x00000034 pop esi 0x00000035 jmp 00007F59A4B60A22h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFC0 second address: 70AFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFC4 second address: 70AFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F59A4B60A1Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F59A4B60A22h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFF7 second address: 70AFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70AFFC second address: 70B002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B122 second address: 70B154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45081h 0x00000009 popad 0x0000000a push edx 0x0000000b jnl 00007F59A4B45076h 0x00000011 jg 00007F59A4B45076h 0x00000017 pop edx 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c popad 0x0000001d push edi 0x0000001e jng 00007F59A4B4507Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B5F2 second address: 70B62D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Ah 0x00000007 jmp 00007F59A4B60A1Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59A4B60A26h 0x00000015 jnl 00007F59A4B60A16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B62D second address: 70B64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B4507Fh 0x00000007 jmp 00007F59A4B4507Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70B64B second address: 70B666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71254E second address: 71255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F59A4B45076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71255C second address: 712561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7111FA second address: 711201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7114F3 second address: 711521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F59A4B60A1Eh 0x0000000d pushad 0x0000000e jmp 00007F59A4B60A20h 0x00000013 jnp 00007F59A4B60A16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BAA second address: 711BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F59A4B4507Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BB9 second address: 711BDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edi 0x0000000a jmp 00007F59A4B60A25h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711D8B second address: 711D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EC1 second address: 711EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EC6 second address: 711EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59A4B45076h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F59A4B45089h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e je 00007F59A4B45076h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711EFE second address: 711F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7121B3 second address: 7121B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7121B7 second address: 7121D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F59A4B60A1Eh 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7146C8 second address: 7146CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148B7 second address: 7148BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148BD second address: 7148C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148C1 second address: 7148C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148C5 second address: 7148CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7148CB second address: 7148E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59A4B60A23h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717452 second address: 71745D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F59A4B45076h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71745D second address: 717462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717462 second address: 717468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE12 second address: 71DE16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE16 second address: 71DE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B45085h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F59A4B45082h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DE39 second address: 71DE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D66B second address: 71D682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59A4B45082h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D682 second address: 71D688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D7DE second address: 71D7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D7E2 second address: 71D7F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DB56 second address: 71DB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71DB5C second address: 71DB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72277C second address: 722782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722782 second address: 72278E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F59A4B60A16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72278E second address: 722793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722793 second address: 722798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228CD second address: 7228D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228D1 second address: 7228EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7228EA second address: 72291D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F59A4B45080h 0x0000000b jnc 00007F59A4B45083h 0x00000011 jne 00007F59A4B4507Eh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722A3E second address: 722A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jno 00007F59A4B60A16h 0x0000000c jng 00007F59A4B60A16h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722A57 second address: 722A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F59A4B4507Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C939C second address: 6C9444 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F59A4B60A1Bh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d jnc 00007F59A4B60A18h 0x00000013 pop ecx 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D1BB2h], ebx 0x0000001b mov ebx, dword ptr [ebp+1248841Eh] 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F59A4B60A18h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b mov dx, BE01h 0x0000003f pushad 0x00000040 mov dword ptr [ebp+1247348Ah], edx 0x00000046 jne 00007F59A4B60A1Ch 0x0000004c popad 0x0000004d add eax, ebx 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F59A4B60A18h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 adc dh, 00000052h 0x0000006c push eax 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F59A4B60A28h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BD1 second address: 723BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BD5 second address: 723BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A29h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 723BF4 second address: 723C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F59A4B45076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72734C second address: 727350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 727623 second address: 727629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC5A second address: 72FC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC5E second address: 72FC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC62 second address: 72FC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F59A4B60A26h 0x0000000e jmp 00007F59A4B60A1Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72DE9B second address: 72DEBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E86A second address: 72E86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EE27 second address: 72EE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EE2D second address: 72EE76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A20h 0x00000007 jng 00007F59A4B60A16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F59A4B60A23h 0x0000001a jmp 00007F59A4B60A26h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 739625 second address: 73962B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73962B second address: 73963B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F59A4B60A16h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738817 second address: 738830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F59A4B45082h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738830 second address: 738834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7391A6 second address: 7391BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F59A4B45076h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7391BB second address: 7391CD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59A4B60A16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD14 second address: 73FD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59A4B4507Ch 0x0000000a jmp 00007F59A4B45085h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 jno 00007F59A4B4507Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD4E second address: 73FD53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD53 second address: 73FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740158 second address: 74015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74015C second address: 740160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740160 second address: 740166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740166 second address: 74016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74016C second address: 74018E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F59A4B60A16h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F59A4B60A1Ch 0x00000013 jg 00007F59A4B60A18h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7406AE second address: 7406DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F59A4B4507Ch 0x0000000c jnl 00007F59A4B45076h 0x00000012 popad 0x00000013 jl 00007F59A4B45093h 0x00000019 jmp 00007F59A4B4507Dh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7406DA second address: 7406DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F7DA second address: 73F802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F59A4B45085h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F802 second address: 73F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F59A4B60A29h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871A4 second address: 6871AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871AF second address: 6871B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6871B3 second address: 6871BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7489ED second address: 7489FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7489FB second address: 748A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7570DF second address: 7570EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA0A second address: 75FA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA10 second address: 75FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A1Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA23 second address: 75FA2D instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75FA2D second address: 75FA32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768302 second address: 768316 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F59A4B45076h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768316 second address: 768330 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59A4B60A16h 0x00000008 jmp 00007F59A4B60A20h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768330 second address: 768335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 768150 second address: 76815A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59A4B60A16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76815A second address: 76817B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F59A4B45085h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76817B second address: 76817F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76817F second address: 7681B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F59A4B45085h 0x00000014 popad 0x00000015 push edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 ja 00007F59A4B45076h 0x0000001e pop edi 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7701F4 second address: 770208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B60A20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77049F second address: 7704F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F59A4B4507Bh 0x0000000a jmp 00007F59A4B45081h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F59A4B45085h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b jl 00007F59A4B45076h 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F59A4B45082h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 770685 second address: 77068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77068A second address: 770694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 774679 second address: 77469C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F59A4B60A16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F59A4B60A20h 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77469C second address: 7746AA instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B45076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746AA second address: 7746B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59A4B60A16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746B4 second address: 7746D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F59A4B45082h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7746D2 second address: 7746D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77481E second address: 774822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777C9B second address: 777C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777C9F second address: 777CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CA5 second address: 777CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B60A1Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 jmp 00007F59A4B60A1Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CCF second address: 777CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CD3 second address: 777CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777CD9 second address: 777CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78753B second address: 78753F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7873A6 second address: 7873DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jnc 00007F59A4B45076h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F59A4B45089h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F59A4B4507Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1A5 second address: 7AF1A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1A9 second address: 7AF1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59A4B4507Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F59A4B45089h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1DC second address: 7AF1F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59A4B60A1Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6D6 second address: 7AF6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6DA second address: 7AF6EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59A4B60A1Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6EE second address: 7AF6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6F6 second address: 7AF6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF6FA second address: 7AF6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF9CA second address: 7AF9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59A4B60A16h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFD6E second address: 7AFD84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F59A4B45076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F59A4B4507Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B5D97 second address: 7B5DA3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F59A4B60A16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7D54 second address: 7B7D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E75 second address: 4B10E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E79 second address: 4B10E93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59A4B45086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10E93 second address: 4B10EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59A4B60A1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10EA5 second address: 4B10EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10EA9 second address: 4B10F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F59A4B60A5Ch 0x0000000e jmp 00007F59A4B60A27h 0x00000013 add eax, ecx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F59A4B60A22h 0x0000001d and ax, 2D88h 0x00000022 jmp 00007F59A4B60A1Bh 0x00000027 popfd 0x00000028 mov eax, 410F41FFh 0x0000002d popad 0x0000002e popad 0x0000002f mov eax, dword ptr [eax+00000860h] 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F59A4B60A1Dh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10F13 second address: 4B10FB9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F59A4B45080h 0x00000008 sbb esi, 1B2A4318h 0x0000000e jmp 00007F59A4B4507Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ch, 4Ah 0x00000018 popad 0x00000019 test eax, eax 0x0000001b jmp 00007F59A4B4507Bh 0x00000020 je 00007F5A1696AE8Bh 0x00000026 pushad 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F59A4B45082h 0x0000002e adc si, E4A8h 0x00000033 jmp 00007F59A4B4507Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F59A4B45088h 0x0000003f xor ch, 00000008h 0x00000042 jmp 00007F59A4B4507Bh 0x00000047 popfd 0x00000048 popad 0x00000049 mov edi, eax 0x0000004b popad 0x0000004c test byte ptr [eax+04h], 00000005h 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F59A4B45081h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CDFEA second address: 6CDFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CDFEF second address: 6CDFF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 513D6B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BFBBD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BE36F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6E7FBF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 74EF0B instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4508

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2163004974.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162849161.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F5BB0 LdrInitializeThunk,

0_2_004F5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
sergei-esenin.com	104.21.53.8	true	true	unknown
eaglepawnoy.store	unknown	unknown	true	unknown
bathdoomgaz.store	unknown	unknown	true	unknown
spirittunek.store	unknown	unknown	true	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	true	unknown
mobbipenju.store	unknown	unknown	true	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dissapoiznw.storec	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
eaglepawnoy.storec	true		unknown
spirittunek.storec	true		unknown
studennotediw.storec	true		unknown
licendfilteo.sitec	true		unknown
clearancek.site	true		unknown
bathdoomgaz.storec	true		unknown
mobbipenju.store	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.u	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sketchfab.com	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900IF	file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2161915191.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148020075.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162953308.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=qu55UpguGheU&l=e	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2161990610.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148078641.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163045564.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2147956944.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	file.exe, 00000000.00000003.2147893350.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161742662.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2161777350.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2163004974.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147893350.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147956944.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529360
Start date and time:	2024-10-08 22:31:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:32:02	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	PWGen_[2MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	15PylGQjzK.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Ji7kZhlqxz.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	original.eml	Get hash	malicious	HtmlDropper	Browse	104.18.95.41
	https://www-washingtoncountyinsider-com.webpkgcache.com/doc/-/s/www.washingtoncountyinsider.com//	Get hash	malicious	Unknown	Browse	104.26.4.144
	Illustrator_Set-Up.exe	Get hash	malicious	Unknown	Browse	172.66.0.163
	PrintDriver_x64.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	https://shoutout.wix.com/so/68P9j4pbc/c?w=YIpy_LmKpeOuRTcqEasLgbctjTenhex96yD397bZU04.eyJ1IjoiaHR0cHM6Ly9maWxlc3NoYXJlcy5naXRodWIuaW8vYXJ1dHkvIiwiciI6IjU3ZWU5MDNjLTU1YjktNDMxYS0zNDRiLWUzZjYxNjRhN2I0MiIsIm0iOiJtYWlsIiwiYyI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9	Get hash	malicious	HTMLPhisher	Browse	172.67.136.56
	Remittance_Regulvar.htm	Get hash	malicious	Unknown	Browse	172.64.151.101
	securedoc_20241008T101508.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	Adfast Canada Request For Proposal (RFP) ID#9009.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	fBcMVl6ns6.lnk	Get hash	malicious	RHADAMANTHYS	Browse	188.114.96.3
AKAMAI-ASUS	original.eml	Get hash	malicious	HtmlDropper	Browse	23.203.104.175
	https://www-washingtoncountyinsider-com.webpkgcache.com/doc/-/s/www.washingtoncountyinsider.com//	Get hash	malicious	Unknown	Browse	104.102.19.45
	Illustrator_Set-Up.exe	Get hash	malicious	Unknown	Browse	2.19.126.211
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Adfast Canada Request For Proposal (RFP) ID#9009.pdf	Get hash	malicious	Unknown	Browse	184.28.88.176
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	Demande de proposition de AVANTAGE INDUSTRIEL INC.pdf	Get hash	malicious	HtmlDropper	Browse	23.203.104.175
	UuYpv6CTVM.elf	Get hash	malicious	Mirai	Browse	104.97.45.242
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	2LgQzImW3E.elf	Get hash	malicious	Mirai	Browse	23.204.209.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	77IyY7nCKB.xls	Get hash	malicious	Unknown	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	EDc1DW9OsQ.xlsx	Get hash	malicious	Unknown	Browse	104.21.53.8 104.102.49.254
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	104.21.53.8 104.102.49.254
	PWGen_[2MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948526105757604
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'877'504 bytes
MD5:	0d807d16e7731b2dd9cb3048b3a13f14
SHA1:	bbb157924fdaa9990df2254d740495c95f15c1c8
SHA256:	08643496ffbec35a84e902dbdbfe27b8b1043d66627dec62d3c6a2f0de76111c
SHA512:	a2b19f969f70fac8395977e1143c90b06a223457ef7c2fad3f807f27c21fa8ed4fb8a7a2b9ee648ff0a18705df76c70fb4a2119af9397cfe2ad2547ef7e6b2ae
SSDEEP:	49152:HEhi2+MJMnDDzPUFk4T78KJo0m5dE9+7pFV3:H6T+MJU8B7hO0AdEOFV3
TLSH:	1C95330449421A54EED94DF2407B521E092CAB06173FFFB6BA1CDA30956F778B0E3BA5
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f.............................0K...........@..........................`K.....E.....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F59A510A2BAh
je 00007F59A510A2D2h
add byte ptr [eax], al
jmp 00007F59A510C2B5h
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	97c860e57684c618a2905ca325809caf	False	0.9991555796204621	data	7.966805914787849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2b1000	0x200	a80393e934319b76915be5a05587814e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ozuzauxt	0x311000	0x1a1000	0x1a0e00	d854ea981b5b3d96d206406daacde6bb	False	0.9943338877436282	data	7.954408538139141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ytfcriws	0x4b2000	0x1000	0x400	350b7ef4be6a1431bc3bdf3d95205751	False	0.8095703125	data	6.240834549257973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b3000	0x3000	0x2200	7aaf0411d6d64dad3f29cb1fb9e47294	False	0.06284466911764706	DOS executable (COM)	0.7382530690260755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T22:32:02.635907+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.6	56997	1.1.1.1	53	UDP
2024-10-08T22:32:02.655613+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.6	53377	1.1.1.1	53	UDP
2024-10-08T22:32:02.668267+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.6	60343	1.1.1.1	53	UDP
2024-10-08T22:32:02.679483+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.6	53279	1.1.1.1	53	UDP
2024-10-08T22:32:02.691045+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.6	54230	1.1.1.1	53	UDP
2024-10-08T22:32:02.709604+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.6	51109	1.1.1.1	53	UDP
2024-10-08T22:32:02.720654+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.6	52865	1.1.1.1	53	UDP
2024-10-08T22:32:02.731879+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.6	61521	1.1.1.1	53	UDP
2024-10-08T22:32:05.673642+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49714	104.21.53.8	443	TCP
2024-10-08T22:32:05.673642+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49714	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 22:32:02.920089006 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:02.920136929 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:02.920211077 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:02.956561089 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:02.956576109 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:03.627345085 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:03.627424002 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:03.632004023 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:03.632019997 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:03.632406950 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:03.681673050 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:03.727406025 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193380117 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193439007 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193479061 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193481922 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.193496943 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193526983 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193545103 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.193552971 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.193617105 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.193617105 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.290204048 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.290265083 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.290321112 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.290328979 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.290364027 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.290384054 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.295943022 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.296025038 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.296041965 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.296089888 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.296096087 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.296184063 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.296230078 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.298571110 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.298582077 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.298593998 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 8, 2024 22:32:04.298599005 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 8, 2024 22:32:04.336309910 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.336337090 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:04.336420059 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.336747885 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.336761951 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:04.843182087 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:04.843364954 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.845896959 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.845907927 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:04.846235037 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:04.847606897 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.847621918 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:04.847734928 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:05.673588991 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:05.673808098 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:05.673862934 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:05.684143066 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:05.684158087 CEST	443	49714	104.21.53.8	192.168.2.6
Oct 8, 2024 22:32:05.684166908 CEST	49714	443	192.168.2.6	104.21.53.8
Oct 8, 2024 22:32:05.684171915 CEST	443	49714	104.21.53.8	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 22:32:02.635906935 CEST	56997	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.652085066 CEST	53	56997	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.655612946 CEST	53377	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.665832043 CEST	53	53377	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.668267012 CEST	60343	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.678080082 CEST	53	60343	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.679482937 CEST	53279	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.690104008 CEST	53	53279	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.691045046 CEST	54230	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.708520889 CEST	53	54230	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.709604025 CEST	51109	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.719552994 CEST	53	51109	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.720654011 CEST	52865	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.730731010 CEST	53	52865	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.731878996 CEST	61521	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.741437912 CEST	53	61521	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:02.815134048 CEST	51942	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:02.825516939 CEST	53	51942	1.1.1.1	192.168.2.6
Oct 8, 2024 22:32:04.323503971 CEST	59379	53	192.168.2.6	1.1.1.1
Oct 8, 2024 22:32:04.335659027 CEST	53	59379	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 22:32:02.635906935 CEST	192.168.2.6	1.1.1.1	0xb7cb	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.655612946 CEST	192.168.2.6	1.1.1.1	0x5cba	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.668267012 CEST	192.168.2.6	1.1.1.1	0xd6d6	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.679482937 CEST	192.168.2.6	1.1.1.1	0x10b9	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.691045046 CEST	192.168.2.6	1.1.1.1	0xad	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.709604025 CEST	192.168.2.6	1.1.1.1	0x5a83	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.720654011 CEST	192.168.2.6	1.1.1.1	0x980	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.731878996 CEST	192.168.2.6	1.1.1.1	0xca38	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.815134048 CEST	192.168.2.6	1.1.1.1	0x963e	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:04.323503971 CEST	192.168.2.6	1.1.1.1	0xaae	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 22:32:02.652085066 CEST	1.1.1.1	192.168.2.6	0xb7cb	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.665832043 CEST	1.1.1.1	192.168.2.6	0x5cba	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.678080082 CEST	1.1.1.1	192.168.2.6	0xd6d6	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.690104008 CEST	1.1.1.1	192.168.2.6	0x10b9	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.708520889 CEST	1.1.1.1	192.168.2.6	0xad	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.719552994 CEST	1.1.1.1	192.168.2.6	0x5a83	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.730731010 CEST	1.1.1.1	192.168.2.6	0x980	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.741437912 CEST	1.1.1.1	192.168.2.6	0xca38	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:02.825516939 CEST	1.1.1.1	192.168.2.6	0x963e	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:04.335659027 CEST	1.1.1.1	192.168.2.6	0xaae	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 8, 2024 22:32:04.335659027 CEST	1.1.1.1	192.168.2.6	0xaae	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	104.102.49.254	443	5960	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 20:32:03 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-08 20:32:04 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 08 Oct 2024 20:32:04 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=3bec567ad78964e101629a82; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-08 20:32:04 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-08 20:32:04 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-08 20:32:04 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-08 20:32:04 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49714	104.21.53.8	443	5960	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 20:32:04 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-08 20:32:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-08 20:32:05 UTC	795	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 20:32:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ojvqttuq6stscfvi3br1af5dcd; expires=Sat, 01 Feb 2025 14:18:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=94XeMbVUwmmBGNKz%2B9rtjqgPcFcFQWVIdhOCWMfxK46ePxaSYAqtF2Q47JL6LD8KiKpTzUIfFuqiMEp2LVmG2eg9jqHIImAUDUXJhvKDYm7LSntiZWo0ZYyKKx%2B3oN58zHznNQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf8e5ef082536c5-YYZ
2024-10-08 20:32:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-08 20:32:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:32:00
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4b0000
File size:	1'877'504 bytes
MD5 hash:	0D807D16E7731B2DD9CB3048B3A13F14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	74.4%
Total number of Nodes:	39
Total number of Limit Nodes:	4

Executed Functions

Function 004BFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J|BJ, xrefs: 004C000D
VY^_, xrefs: 004BFDFF
t, xrefs: 004BFCBE
V, xrefs: 004BFEDC

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 3e6e13e874c8fadb3c56de01831c1912091ef19cccf48267588c2a52f1f3a28f
Instruction ID: 48f1a6b03d2ecf4db444281f25d781550eac05eaaf98c385b157104e1d319cd3
Opcode Fuzzy Hash: 3e6e13e874c8fadb3c56de01831c1912091ef19cccf48267588c2a52f1f3a28f
Instruction Fuzzy Hash: 69D179785083809BD310DF199990B6FFBE1AB92744F18481EF5C98B352C73ACD09DB9A

Function 004BD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004BD2F1

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 79a9d69f805f8069dc09fe935fd29fd1c56c36f073c6c00032f92c9ac84981d9
Instruction ID: 9535176eee7f7001a03ab7b96536952349db52672546d7e85a58a41b6c47c77e
Opcode Fuzzy Hash: 79a9d69f805f8069dc09fe935fd29fd1c56c36f073c6c00032f92c9ac84981d9
Instruction Fuzzy Hash: 8F417A7080D380ABC301BB69D685A2FFBF5AF52708F048C9DE5C497212D339D8109B6B

Function 004F5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 004F5784

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4fbd109beba0a96dc61653e717a8bda139c5eea865e60b5ce7cf42e7c2314d70
Instruction ID: 0714ee632e86929f865dbe7398ddadf168e57073fafe5b08e247bd97b4a2cd38
Opcode Fuzzy Hash: 4fbd109beba0a96dc61653e717a8bda139c5eea865e60b5ce7cf42e7c2314d70
Instruction Fuzzy Hash: 7D11917151C640EBC301AF18E940A2FBBF5DF96711F05882DE6C49B211D339D815CB97

Function 004F5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(004F973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 004F5BDE

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 004F695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 004F69C5

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: eca08cb17e8c2df37b0a6b36eed2c26bf6a0d7f87cce215e3b8d6e4a04def104
Instruction ID: 32e9d0842800a7d9956c4add7bd607d96a4ecb0f6f1e98f1b9454abac684102c
Opcode Fuzzy Hash: eca08cb17e8c2df37b0a6b36eed2c26bf6a0d7f87cce215e3b8d6e4a04def104
Instruction Fuzzy Hash: 69319AB09083059FD714DF28C49073BB7F1EF95344F44981DE6C697261E3399908DB5A

Function 004C049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fe0f158990c69fc6df9df5385e3b77e5a58250ec5f87ee96fae80b296a6342
Instruction ID: f3ba7f8495b635b23150b73cfcfa1cbca2ee4327143f0cecd71291513bb90b6a
Opcode Fuzzy Hash: e4fe0f158990c69fc6df9df5385e3b77e5a58250ec5f87ee96fae80b296a6342
Instruction Fuzzy Hash: E1918B75200B00DFD724CF25E890B26B7F6FF89314B118A6DE9568BAA1DB34E819CB54

Function 004C0228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d3010fe6e23ae40c57dbf911f02a33914d15dff41b3319dc4ec917cfe50c7b
Instruction ID: ba8cd2fc52fef9fe41999e60776a979a1a97d5c9f6890818a7ce551bfd11b7ef
Opcode Fuzzy Hash: 13d3010fe6e23ae40c57dbf911f02a33914d15dff41b3319dc4ec917cfe50c7b
Instruction Fuzzy Hash: D6716878200700DFD7248F21E894B2AB7F6FF49314F10897DE9568B662DB35A829CB54

Function 004F99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe9945ee681270be6e2e9e88f8ce63e489ae930fa2cf1d5016a0434f0f312d1
Instruction ID: b27d3f9d48464daca6bae09b3706be7d70c524fc63a58acc262a32caeeb68836
Opcode Fuzzy Hash: bfe9945ee681270be6e2e9e88f8ce63e489ae930fa2cf1d5016a0434f0f312d1
Instruction Fuzzy Hash: A441ED34608348ABDB14DA15D890B3FB7A6EB85714F54882EE68A87351D338EC11DB6A

Function 004F63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c36ef1c540754b15f78248ee6745b327598386482826d6552204c5d43b237b2
Instruction ID: 3ebe2cd7777a7dcc6771af83bfc38e5fd26f7d3c031ad3a18b726d125d283273
Opcode Fuzzy Hash: 6c36ef1c540754b15f78248ee6745b327598386482826d6552204c5d43b237b2
Instruction Fuzzy Hash: 37312230208305BADA24EB04CD82F3FB7A5EB90B54FA4890DF7815B2E1D374A8119B1A

Function 004C0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf2d6c95991651dfe0cf28570558d5cb5fddd0437d7bf9ee4da76468b28cbfa
Instruction ID: 39236d65d82ed335891a875de047a0be9e0d760a4fa53925de36ec16bd733d62
Opcode Fuzzy Hash: bbf2d6c95991651dfe0cf28570558d5cb5fddd0437d7bf9ee4da76468b28cbfa
Instruction Fuzzy Hash: AC2116B490021A9FDB15CF94CC90FBEBBB1FB4A304F144819E511AB292C775A951CB68

Function 004F3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004F32A6

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 86c6dde9e1ff048a8f07ad1716d32036ba6eb650debd8137bf71abbf6a6e9a4f
Instruction ID: f4848bde2011a6e06ffd4388a0e5817fda55b2842ddbdaf2c39e5e721d867a34
Opcode Fuzzy Hash: 86c6dde9e1ff048a8f07ad1716d32036ba6eb650debd8137bf71abbf6a6e9a4f
Instruction Fuzzy Hash: 41014B3450D2409BC701AF18E885A2EBBE8EF5A701F054C5CE6C58B361D339DD64DBA6

Function 004F3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 004F3208

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cb795e417566f6e4357aab092f81970b809136a17b8969d072c842b113c276e9
Instruction ID: 24e4a84c81cc6c9faad4c11b19067fd6469fdf11342b81de356b51c51f39fbb3
Opcode Fuzzy Hash: cb795e417566f6e4357aab092f81970b809136a17b8969d072c842b113c276e9
Instruction Fuzzy Hash: 24B012300400005FDA141B00EC0AF043520EB10605F800050B500040B1D1615868D565

Non-executed Functions

Function 004E23E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

f@~!, xrefs: 004E25FF
Cx, xrefs: 004E453D
ggxz, xrefs: 004E2685
`tii, xrefs: 004E2693
3<, xrefs: 004E32D6
mlc@, xrefs: 004E275C
aenQ, xrefs: 004E276A
|}&C, xrefs: 004E2F21
:, xrefs: 004E32DD
{l`~, xrefs: 004E268C
%*+(, xrefs: 004E40EF
#v, xrefs: 004E344B, 004E4861
fedc, xrefs: 004E2782

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
API String ID: 0-2260822535
Opcode ID: aa6e6a474d5f6c7f73ec3317a5189015ed6efa32a39ef60a15570db82e24b0f2
Instruction ID: d709471c722741178d6ca2ddaf2557cf3e21430b2e51421715e5a81eb27e7c3d
Opcode Fuzzy Hash: aa6e6a474d5f6c7f73ec3317a5189015ed6efa32a39ef60a15570db82e24b0f2
Instruction Fuzzy Hash: 9433CE70504B818FD7268F3AC590763BBE1BF16306F58499ED4DA8B782C339E806CB65

Function 004CDB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

dcba, xrefs: 004CE728
LKJI, xrefs: 004CE6E6
tsrq, xrefs: 004CE6FC
T, xrefs: 004CF157
`Y^_, xrefs: 004CE99E
DCBA, xrefs: 004CE887, 004CE896
tuJK, xrefs: 004CE967
lkji, xrefs: 004CE73E
<=:;, xrefs: 004CE930
`onm, xrefs: 004CE733
xgfe, xrefs: 004CE71D
<=2, xrefs: 004CEA01
%*+(, xrefs: 004CDE37, 004CDE46
mjkh, xrefs: 004CE7D8
|, xrefs: 004CECB1
89&', xrefs: 004CE93B
D, xrefs: 004CE846
QNOL, xrefs: 004CE775
@ONM, xrefs: 004CE6DB
AR, xrefs: 004CDD10
()./, xrefs: 004CE9CA
WP, xrefs: 004CDCEF
:WUE, xrefs: 004CF6B7, 004CF6C6
89>?, xrefs: 004CE9F6

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 9123b712815e6642138bbbcf117bbd93b5d8350d9ceec4ab4e2f47db96065776
Instruction ID: be1722c8b15b7eee7d975793e84bb9119464188d7af61c2b50a4728e3b297e8c
Opcode Fuzzy Hash: 9123b712815e6642138bbbcf117bbd93b5d8350d9ceec4ab4e2f47db96065776
Instruction Fuzzy Hash: 8BF29AB45083819FD7B0CF15C484BABBBE2BFD5304F14482EE4C98B251DB399985CB9A

Function 004D9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

(a*c, xrefs: 004DA147
kW, xrefs: 004DA380
/), xrefs: 004DA66D
_Y, xrefs: 004DA641
%e6g, xrefs: 004DA152
N[, xrefs: 004DA375
?m,o, xrefs: 004DA13C
WH, xrefs: 004DAA1C
sm, xrefs: 004DA830
=], xrefs: 004DA36A
WQ, xrefs: 004DA62B
JG, xrefs: 004DAA27
]{, xrefs: 004DA1E7, 004DA1F3
S], xrefs: 004DA636
CG, xrefs: 004DAA32
hi, xrefs: 004DAB9D
Gt, xrefs: 004D9FF8

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: fa5d7d0799ea197406429de6d55caae9b5721cd76cc2a02b8f7ec3d7b4d90a8d
Instruction ID: 962098cb2a7adf42d26b8eb46d0ab584b1e6a6d6a462f56544b24a4693a0ee44
Opcode Fuzzy Hash: fa5d7d0799ea197406429de6d55caae9b5721cd76cc2a02b8f7ec3d7b4d90a8d
Instruction Fuzzy Hash: 4252C7B400D385CAE270CF26D581B8EBAF1BB92744F608A1EE1ED5B255DB748045CF97

Function 004D9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

B7U1, xrefs: 004D9AFB
!E4G, xrefs: 004D9836
G+X5, xrefs: 004D9AF3
G'M!, xrefs: 004D9ADB
z=Q?, xrefs: 004D9826
8;, xrefs: 004D9B13
,A&C, xrefs: 004D982E
?M0K, xrefs: 004D9968
O+f), xrefs: 004D9634, 004D963D
2A"_, xrefs: 004D9980
T#a-, xrefs: 004D9AE3
pq, xrefs: 004D99E0
;IJK, xrefs: 004D983E
X/R), xrefs: 004D9AEB
L3Y=, xrefs: 004D9B03
B?Q9, xrefs: 004D9B0B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 21c33efd6bad26429164b64ff6e0297b4aa7702cdebbbf58094b4fa683e1597d
Instruction ID: 7614420da8511c7880674fe2093069c653e6686c993db52a8a07fe4d8a02f84b
Opcode Fuzzy Hash: 21c33efd6bad26429164b64ff6e0297b4aa7702cdebbbf58094b4fa683e1597d
Instruction Fuzzy Hash: C5F13DB4508380ABD310DF15D8A0A2BBBE4FB96B48F044D1EF4D59B352D378D908DB9A

Function 004DDD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004DE143
hX]N, xrefs: 004DDDC7
upH}, xrefs: 004DDE8A, 004DE798, 004DDF4A
M, xrefs: 004DE403, 004DE664, 004DE7BD
<Y.[, xrefs: 004DE27D
Y9N;, xrefs: 004DE245
rM, xrefs: 004DE92E
=]+_, xrefs: 004DE276
,Q?S, xrefs: 004DE26F
-M2O, xrefs: 004DE25A
)IgK, xrefs: 004DE261
n\+H, xrefs: 004DDDC0
M, xrefs: 004DE9C5
{E, xrefs: 004DE323

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: M$%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$rM$upH}${E$M
API String ID: 0-1155588568
Opcode ID: 022ccbd6af5dbaf9e797d759fc76689ec15dae5f12ccb06c9865cb69037f71a1
Instruction ID: b010e7a20516a2b439354df8b888d8a72f3a83d6b1052950083a11348ba56f84
Opcode Fuzzy Hash: 022ccbd6af5dbaf9e797d759fc76689ec15dae5f12ccb06c9865cb69037f71a1
Instruction Fuzzy Hash: 48920171E00605CFDB04CF69D8916AEBBB2FF59314F28816EE412AB391D739AD01CB95

Function 00685B04 Relevance: 14.2, Strings: 10, Instructions: 1652COMMON

Download Yara Rule

Strings

Qr_v, xrefs: 00685C97
'x`, xrefs: 00686219
8{m, xrefs: 006866A7
$ m, xrefs: 00686DCC
PYD?, xrefs: 006862EE
)q;, xrefs: 00685C3E
-zw, xrefs: 006864DD
HY=|, xrefs: 006868B0
P/V}, xrefs: 00685E97
vr7v, xrefs: 006862E9

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: $ m$'x`$-zw$8{m$HY=|$P/V}$PYD?$Qr_v$vr7v$)q;
API String ID: 0-1774224734
Opcode ID: 0ba7e936892ff94fce001400d4ee8697680ac2ee11b2b9c8cdaac876b9238417
Instruction ID: b55d9724a7f25978e1a74279d53008196ecae470c235dbc37e1a2c4176be41a8
Opcode Fuzzy Hash: 0ba7e936892ff94fce001400d4ee8697680ac2ee11b2b9c8cdaac876b9238417
Instruction Fuzzy Hash: 60B226F390C2049FE3046E29EC8567AFBE9EF94720F1A492DE6C4C7744EA3598018797

Function 0068269F Relevance: 11.6, Strings: 8, Instructions: 1579COMMON

Download Yara Rule

Strings

vO, xrefs: 0068322A
2Z>, xrefs: 0068332B
rb{+, xrefs: 00682872
GRoj, xrefs: 006837A3
Fus[, xrefs: 00683308
2Z>, xrefs: 0068333F
aJm, xrefs: 00682866
Ai{, xrefs: 006829FB

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 2Z>$2Z>$Ai{$Fus[$GRoj$aJm$rb{+$vO
API String ID: 0-4223693194
Opcode ID: 8e3e47d5af11119fd7467a2ef172a1d0eb7ef8e468632ef29445594aa0548742
Instruction ID: e59ad64f5d3542734a2a0811d411c48d29cef3f00f67c55767fee351111074aa
Opcode Fuzzy Hash: 8e3e47d5af11119fd7467a2ef172a1d0eb7ef8e468632ef29445594aa0548742
Instruction Fuzzy Hash: 82B2F4F360C204AFE3046E2DEC8567AFBE9EF94720F1A493DE6C487744E63598048796

Function 004D098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

{, xrefs: 004D1502
cah`, xrefs: 004D107E
%*+(, xrefs: 004D0A77, 004D0A86
,#15, xrefs: 004D0F94
gce/, xrefs: 004D1073
qrqp, xrefs: 004D1089
&> &, xrefs: 004D0F89
9.5^, xrefs: 004D0F9F

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 7f0441ec7ae8cdbeb4ede27dc5806a270535944a05f42f5ffa08f771b9d12020
Instruction ID: 327467941ab2f68947f071265c7b54ef1f6a9e5d0b9c8cef2141ae26d1bae147
Opcode Fuzzy Hash: 7f0441ec7ae8cdbeb4ede27dc5806a270535944a05f42f5ffa08f771b9d12020
Instruction Fuzzy Hash: 3262A9B16083818BD730CF14D8A1BAFB7E1FB96314F04492EE49A8B791E3799844CB57

Function 004B1000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 004B22E1
-, xrefs: 004B21ED
0123456789ABCDEFXP, xrefs: 004B157D, 004B15EB
gfff, xrefs: 004B2297
0123456789abcdefxp, xrefs: 004B1587, 004B15F8
gfff, xrefs: 004B2226
@, xrefs: 004B2C40

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: ebc4837e02e586cebab933d6041064ed014e3de2f0c1164a37f7a8a9a1e279a5
Instruction ID: 198711b85debba5db693e6055f8fcd9b9eccfbf1f28ef3090f01b1f2c5139fac
Opcode Fuzzy Hash: ebc4837e02e586cebab933d6041064ed014e3de2f0c1164a37f7a8a9a1e279a5
Instruction Fuzzy Hash: 00D228716083418FC718CE29C4943ABBBE2AFD9314F188A2EE495C7391D778DD45CBA6

Function 0068AC9E Relevance: 9.2, Strings: 6, Instructions: 1668COMMON

Download Yara Rule

Strings

{{?, xrefs: 0068B732
ZB}~, xrefs: 0068B58D
~mn, xrefs: 0068AFF8
=]_?, xrefs: 0068AD6C
1f, xrefs: 0068B301
~mn, xrefs: 0068AF45

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: {{?$1f$=]_?$ZB}~$~mn$~mn
API String ID: 0-3438676715
Opcode ID: 6d372744c8c7a5f85b0f228ad57199517f336dccb2cc4f2d0a1ffb4164e6c780
Instruction ID: 3509a39281d37c3882c49471e1d34677d81a326a8f440939dfd08e66477bf991
Opcode Fuzzy Hash: 6d372744c8c7a5f85b0f228ad57199517f336dccb2cc4f2d0a1ffb4164e6c780
Instruction Fuzzy Hash: 6BB239F3A0C6109FE3046E2DEC4567AFBEAEFD4620F1A463EE6C4C7744E97158018696

Function 0067F184 Relevance: 9.1, Strings: 6, Instructions: 1607COMMON

Download Yara Rule

Strings

t.'w, xrefs: 0067F406
+[T|, xrefs: 0067F745
36S, xrefs: 0067FD4E
PGj{, xrefs: 0067F4DC
MI/g, xrefs: 00680130
FmU|, xrefs: 0067F5FE

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: +[T|$36S$FmU|$MI/g$PGj{$t.'w
API String ID: 0-267852672
Opcode ID: 33c591957a88ff775159bcb1a5c8add8a4eae6479f5ea0ec8a0e6a68b6cd5c45
Instruction ID: 955593337f4cccbe72cc90c50a18b2cf9715f31e3e2438afd4239319b1493c69
Opcode Fuzzy Hash: 33c591957a88ff775159bcb1a5c8add8a4eae6479f5ea0ec8a0e6a68b6cd5c45
Instruction Fuzzy Hash: B9B2F3F3A0C2009FE304AE29EC8567ABBE5EF94720F1A893DE6C487744E63558458797

Function 0067D6AE Relevance: 7.8, Strings: 5, Instructions: 1585COMMON

Download Yara Rule

Strings

VgB, xrefs: 0067E622
B;w9, xrefs: 0067DA7A
=?}, xrefs: 0067DF30
9_, xrefs: 0067E943
.Oy , xrefs: 0067E49D

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: .Oy $9_$=?}$B;w9$VgB
API String ID: 0-1268838670
Opcode ID: f3f9439624113dd8fcd876e98bf4dd67923941a82d33d3d12b007e3768437236
Instruction ID: 4cbbd3ec3812578e387f3435f06b52659f9b44574525b74f13abca858e96b5ce
Opcode Fuzzy Hash: f3f9439624113dd8fcd876e98bf4dd67923941a82d33d3d12b007e3768437236
Instruction Fuzzy Hash: 0FB2E6F3608200AFE304AE29EC8577AFBE5EF94320F16893DEAC5C7744E63558458697

Function 00680CA9 Relevance: 7.8, Strings: 5, Instructions: 1539COMMON

Download Yara Rule

Strings

o{Z, xrefs: 00680D3B
p3}O, xrefs: 00681AD5
=+?, xrefs: 00681F5A
F8er, xrefs: 006819AC, 00681A3D, 00681B06, 00681BD5, 00681C0E, 00681C37, 00681C5F, 00681CCF
#tH/, xrefs: 00681691

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: #tH/$=+?$F8er$o{Z$p3}O
API String ID: 0-2556501811
Opcode ID: 16e03aaf5fe42ac9709f6b4f2bf7c071c91603b5a470b4d52f41607b14fcb3cf
Instruction ID: 01c49ca6ee3d55c1e6c2edc35c6fcd20abaf50b4a3dc3fdd40006bf444c8b4af
Opcode Fuzzy Hash: 16e03aaf5fe42ac9709f6b4f2bf7c071c91603b5a470b4d52f41607b14fcb3cf
Instruction Fuzzy Hash: B1B2D2F3A0C2009FE704AE29DC8567AFBE9EF94720F16492DEAC4C3744E63598148797

Function 004B12F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 004B1E88
0, xrefs: 004B243E
@, xrefs: 004B3531
i, xrefs: 004B28EA
0, xrefs: 004B1DC1

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: e321837ddcd1bb00f54b697244c519c2b78dfdf91c701cb4010e67a71cc8f447
Instruction ID: 077d0fc8af53d23fb40fa62d2c6da33f08030350fde25f1a555fa6cda6427d74
Opcode Fuzzy Hash: e321837ddcd1bb00f54b697244c519c2b78dfdf91c701cb4010e67a71cc8f447
Instruction Fuzzy Hash: 0C62E47160C3819BC318DE28C5907ABBBE1AFD5304F188E1EE8D9873A1D7B8D945CB56

Function 004B164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

gfff, xrefs: 004B1F3C
+, xrefs: 004B1573
0123456789ABCDEFXP, xrefs: 004B164F
0123456789abcdefxp, xrefs: 004B1659
gfff, xrefs: 004B1F57

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: c9b34f63736c35b97ccea30ca52ee9095285d7c4a814febdf3fd19aa748e97e8
Instruction ID: 2c6d6c0bf18db3176dae04069eb721561e5f6d610dec66fa2a1ea47113f61b00
Opcode Fuzzy Hash: c9b34f63736c35b97ccea30ca52ee9095285d7c4a814febdf3fd19aa748e97e8
Instruction Fuzzy Hash: 55F1D43060C3818FC715CE29C5902AAFBE2AFD9304F188A6EE4D987356D778D945C7A6

Function 004B13A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

-, xrefs: 004B1F23
gfff, xrefs: 004B1F3C
0123456789ABCDEFXP, xrefs: 004B13A3
0123456789abcdefxp, xrefs: 004B13AD
gfff, xrefs: 004B1F57

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 290de1286e1dd91c37a0650749b7a32aa84ad72ca1d8a688abb8b8233173c5ce
Instruction ID: f35da2a6711134763ca6d8335a38c8d41d476c32765f9b1fa64811a9990cb905
Opcode Fuzzy Hash: 290de1286e1dd91c37a0650749b7a32aa84ad72ca1d8a688abb8b8233173c5ce
Instruction Fuzzy Hash: 91D1C33160C7818FC715CE29C5902AAFFE2AFD9304F08CA6EE4D987356D678D945CB62

Function 006879CA Relevance: 6.3, Strings: 4, Instructions: 1305COMMON

Download Yara Rule

Strings

:r}_, xrefs: 0068801C
2_Wn, xrefs: 0068851C
o'ow, xrefs: 00687B92
2_Wn, xrefs: 00688521

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 2_Wn$2_Wn$:r}_$o'ow
API String ID: 0-2205032354
Opcode ID: 0ea0542ce8da6704c48f456e970adefdf16ac449b790cc838fbd60099c0c70ca
Instruction ID: fd209438ea3c070175b89bf790747221a25ea86b3f257409aa07acfb50343dec
Opcode Fuzzy Hash: 0ea0542ce8da6704c48f456e970adefdf16ac449b790cc838fbd60099c0c70ca
Instruction Fuzzy Hash: 8792F6F360C2049FE704AE29EC8567AFBE5EF94720F16893DE6C483744EA3598058797

Function 004DFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

m1s3, xrefs: 004DFEC3, 004DFECB
NA_I, xrefs: 004E036D
uvw, xrefs: 004DFE95
:, xrefs: 004E0087

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 775e918b907039496d966a89dd029a899198e6fce23dff9a7d13ffd9aaa8689d
Instruction ID: 7d620b69956b90d8f73d7fa56d813bad904b9e89ce99bf33d2120c98340a8f65
Opcode Fuzzy Hash: 775e918b907039496d966a89dd029a899198e6fce23dff9a7d13ffd9aaa8689d
Instruction Fuzzy Hash: 5832BA70508380DFD310DF2AD880A2FBBE1AB99345F14495DF5E18B292D379D949CF9A

Function 004C3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

ss, xrefs: 004C3C79
p, xrefs: 004C3C80
%*+(, xrefs: 004C3EC4
;z, xrefs: 004C3C87

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: ba1e41a634f4c7e34c43ba4736325681ed38b99272fdb61bcd3f8b1daeb13fe1
Instruction ID: 9f2590a6259d58813e0c1e7b046da326207fa0c856ed839fe02ea7b454756648
Opcode Fuzzy Hash: ba1e41a634f4c7e34c43ba4736325681ed38b99272fdb61bcd3f8b1daeb13fe1
Instruction Fuzzy Hash: D4027DB4810B00AFD760DF29D986B57BFF4FB01305F50895DE89A8B646E334A419CFA6

Function 004D2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

hu, xrefs: 004D232F
a|, xrefs: 004D2317
lc, xrefs: 004D2507
sj, xrefs: 004D2327

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 36edb66a4b784a5ed97be69a1b6bddd1b6bd96992c23292c3b63c08979c157ca
Instruction ID: ec74b1ce5ae985d41f1094e0b24f350a7dd176eb522a035d1f42326efcec86e5
Opcode Fuzzy Hash: 36edb66a4b784a5ed97be69a1b6bddd1b6bd96992c23292c3b63c08979c157ca
Instruction Fuzzy Hash: ADA1AD704083418BC720DF18C8A1A2BB7F0FFA6354F548A0EE8D59B391E379D941CB9A

Function 0068C8AF Relevance: 5.2, Strings: 3, Instructions: 1477COMMON

Download Yara Rule

Strings

o-, xrefs: 0068D431
e~o, xrefs: 0068D6B7
!Sm, xrefs: 0068D270

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: !Sm$e~o$o-
API String ID: 0-3958240453
Opcode ID: cb81a3e2179e83ee2ecd712a284c78da3ea93d6d762b41c27ee9120d3b93c203
Instruction ID: b1945092b79ee2ef063655476333ce6d48bd87c6afb84d1ddfdc152f43bdde02
Opcode Fuzzy Hash: cb81a3e2179e83ee2ecd712a284c78da3ea93d6d762b41c27ee9120d3b93c203
Instruction Fuzzy Hash: 6DA2F5F3A0C6049FE3046E2DEC8566ABBE9EF94720F1A493DEAC4C3744E63558058797

Function 004DD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

CV, xrefs: 004DD98B
T>, xrefs: 004DD984
KV, xrefs: 004DD97D
#', xrefs: 004DD9EA

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 6cbff343e56fd48656deef998069508378b6f19c6a091356673fbd7698514d16
Instruction ID: 51b87c05cf66a84e8813d66acd5ea54fd3cf36d24992cbf55e653ff09792e266
Opcode Fuzzy Hash: 6cbff343e56fd48656deef998069508378b6f19c6a091356673fbd7698514d16
Instruction Fuzzy Hash: 7A8154F4801B459BCB20DFA6D28516EBFB1BF12300F60460DE4966BB55C334AA55CFE6

Function 004DAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

(g6e, xrefs: 004DACA1
,{*y, xrefs: 004DAD07, 004DAD13
lk, xrefs: 004DACBC
4c2a, xrefs: 004DACA9

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: cf64a3a11f060ecd784413c03ef650d929ca32fbbad637ec6b0b1b5f3d209566
Instruction ID: 78965f1ec2f0041e2ff62fe5b28f1bb654da3bcbcadd3b65514e044fe03fbbf9
Opcode Fuzzy Hash: cf64a3a11f060ecd784413c03ef650d929ca32fbbad637ec6b0b1b5f3d209566
Instruction Fuzzy Hash: BF4162B44083828BD7209F20D914BABB7F1FF86305F54995EE5C897260DB35D948CB9A

Function 004DC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004DC8C3, 004DC8CB
%*+(, xrefs: 004DC9E4, 004DC9ED
~/i!, xrefs: 004DC537

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: ce4175a379c9ab6ed954144aaa856ba697107e99c77109acb33abaf49aa073e1
Instruction ID: 40509610d6c621e355d0baab295a81176307c6b4a91fecf8b5f274ca3daebdc6
Opcode Fuzzy Hash: ce4175a379c9ab6ed954144aaa856ba697107e99c77109acb33abaf49aa073e1
Instruction Fuzzy Hash: D0E183B1508345DFE3209F25D880B2FBBE5FB95344F48882EF6898B251D73AD814DB96

Function 004B8590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 004B860C
IEND, xrefs: 004B89F0
), xrefs: 004B8616

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 3c79e39794186dcb60503463ede3afec0aaa7748cb11091105fbbfd334861034
Instruction ID: 8abfca00e50eaf42be7da73bf7b52705135bcfd27d15891d8d1976fcececf9c8
Opcode Fuzzy Hash: 3c79e39794186dcb60503463ede3afec0aaa7748cb11091105fbbfd334861034
Instruction Fuzzy Hash: 63E1E4B1A083019FE310CF29C8817ABBBE4BB98314F14492EF59597381DB79E915CBD6

Function 0068FD33 Relevance: 4.1, Strings: 2, Instructions: 1596COMMON

Download Yara Rule

Strings

e>zb, xrefs: 0068FD50
#gq, xrefs: 00690382

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: #gq$e>zb
API String ID: 0-1281878625
Opcode ID: 39c7d2d1fc5288c94d0b00046eacb9042221ac5ab9fe957079cf80a7913392c7
Instruction ID: 537da4cdf68ca7371ad7864bc9f2275a6afdb1a437afb2de15f6c895dec60efc
Opcode Fuzzy Hash: 39c7d2d1fc5288c94d0b00046eacb9042221ac5ab9fe957079cf80a7913392c7
Instruction Fuzzy Hash: B7B2F8F360C2049FE304AE2DEC8567ABBE9EF94720F16893DE6C4C7744EA3558418697

Function 004F4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004F40A4, 004F40AD
f, xrefs: 004F420C

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 07596eea150fc1f2c925142b75e98c0abea4eecb15b88a0ba10d63df87f6bff0
Instruction ID: 040ec3d9436dfb9b2f6a267aeb2bd112cc26200340dfd14d11322ec68cff7445
Opcode Fuzzy Hash: 07596eea150fc1f2c925142b75e98c0abea4eecb15b88a0ba10d63df87f6bff0
Instruction Fuzzy Hash: E112AC716083449FC714CF18C880B2FBBE1FBC9314F188A2EE69497391DB39E8458B96

Function 004EF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 004EF7F5
hi, xrefs: 004EF6E6

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: e02539052fcd7125990db9f96c8a949efde80311deb06244a6fb2d1c17a1aa7d
Instruction ID: 5df67f8ce79acc5d7a995d0dd8bcb47c7d263e9026a7e06a3d82cf311053cfe4
Opcode Fuzzy Hash: e02539052fcd7125990db9f96c8a949efde80311deb06244a6fb2d1c17a1aa7d
Instruction Fuzzy Hash: 7EF1A771618342EFE304DF25C896B2EBBE5FB96345F14992DF0858B2A1C738D849CB16

Function 004B35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 004B3607
NaN, xrefs: 004B360E

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: d1d9275d3b2486a309cee17af77bfd290ecb3f40fb051b7be9b71e5c00f2729b
Instruction ID: ede10f63f724e6cd2726f4040a1f619ce7c39c93e40d3cee5c76b4da905481ed
Opcode Fuzzy Hash: d1d9275d3b2486a309cee17af77bfd290ecb3f40fb051b7be9b71e5c00f2729b
Instruction Fuzzy Hash: 41D106B1B083119BC714CF29C88065FB7E1EBC8750F24892EF99997390E779DD058B96

Function 004CFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 004D00F6
BaBc, xrefs: 004D0197

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: cf0832f09fef7cb1b1ad3512437fa46a64c1210038a981bb4ed4de1ab556e433
Instruction ID: 62ce1fd6effebb95c3c6e0322f192ed568cbf495acee377fd1b3d2e1cb9a0fb5
Opcode Fuzzy Hash: cf0832f09fef7cb1b1ad3512437fa46a64c1210038a981bb4ed4de1ab556e433
Instruction Fuzzy Hash: D551CDB16083818BD331CF14D891BABB7E0FF96314F08891EE4998B751E3789940CB5B

Function 00639027 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

6Qlu, xrefs: 006391B5
v^, xrefs: 00639097

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 6Qlu$v^
API String ID: 0-1529389722
Opcode ID: 9c30159717b564dac48b447e083538621ae80bd6d719ad0801cf907e4de39ae2
Instruction ID: 8f5e207d2f13d0ac4e99ae47691f6da62c13c3648eaacc742b4189548207139a
Opcode Fuzzy Hash: 9c30159717b564dac48b447e083538621ae80bd6d719ad0801cf907e4de39ae2
Instruction Fuzzy Hash: 854126F3E192245BE3046968DD5536AB6DADB94320F2F423DCA84D7784F938590946C2

Function 00613A5C Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

1`^~, xrefs: 00613B94
0\~, xrefs: 00613BB6

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 1`^~$0\~
API String ID: 0-1954098863
Opcode ID: c66104a95122e851c3578606e3e73b4d8a776d27e9a02f372b290944ed63354d
Instruction ID: 203846e02f34e3dd591c9226c0c774f039bea96a7464adc25740f563a6245d3e
Opcode Fuzzy Hash: c66104a95122e851c3578606e3e73b4d8a776d27e9a02f372b290944ed63354d
Instruction Fuzzy Hash: A94109B3A082049FE305AE3DDD8572ABBD6EB98710F158A3CE9C4C7388E93569148653

Function 004B5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 004B54C8

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: d509ccf49dd356b6d5cf13b93478d897ea39ddbc5ea45446ab42702bb3129cc2
Instruction ID: cc44b197ad565e2afa67e30642a9d101b522cd78eab710dda2d9a0e7238bb6be
Opcode Fuzzy Hash: d509ccf49dd356b6d5cf13b93478d897ea39ddbc5ea45446ab42702bb3129cc2
Instruction Fuzzy Hash: FE22F6B2A08B418BE7258E18D5403A7FBE2AFE0304F1D856FD8594B341EB79DC45C76A

Function 004E12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 004E15D1

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: d2be6c484bacb26296907e15f25f9e7a142a5677a5a6ba9c7cdd13552b500872
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 95F16971A483814FC724CF26C48066BBBE5AFC5345F1CC96EE89A873A2D638DD05C796

Function 004DAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004DB2D3, 004DB2DB

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e5b9904dc93728790925379fdaf9a7b1e02164f65895d064c5163b71c5d4319c
Instruction ID: 1c4693da75a5ee5277ffd15d07aecaf535f28f9d62b201aefa71745831337d55
Opcode Fuzzy Hash: e5b9904dc93728790925379fdaf9a7b1e02164f65895d064c5163b71c5d4319c
Instruction Fuzzy Hash: 0AE1A971508306CBC714DF29C4A056FB7E2FFA9781F55891EE8C587320E338A959DB8A

Function 004C6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004C6EF3

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 29853926a5b4aca7a5d3a0cf62bdaeafb53e7fc2e6d88143ddfc639f51c57d7c
Instruction ID: a0b153567eaf2db45a11f8a1f06c97c9ca58ceb066e9a783e22c88a066e2f541
Opcode Fuzzy Hash: 29853926a5b4aca7a5d3a0cf62bdaeafb53e7fc2e6d88143ddfc639f51c57d7c
Instruction Fuzzy Hash: F4F1AEB9A00A018FC724DF25D881A26B3F2FF58314B15893EE59787791EB38F815CB59

Function 004D7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004D8263, 004D826B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 55b62bab7676e5621ec1ae4bbef99069f6f23a8933da46e539c890662cebe048
Instruction ID: 1c042843dad358284ecd342b04e8ffb7df674b90185eae86715a4c8e15162f65
Opcode Fuzzy Hash: 55b62bab7676e5621ec1ae4bbef99069f6f23a8933da46e539c890662cebe048
Instruction Fuzzy Hash: 80C1CF71508200ABD711AB14C8A1A3FB7F5EF96754F48881EF8C597351E738ED05CBAA

Function 004D8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004D9233, 004D923B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d65e40f4bb0fa310d54f336cbd5d585eda097951f3390b46cf9a53483c196fc3
Instruction ID: fa0979d0a88eeb323aad634d989e62f6cee82bbdb0f774c7d034ff2070a59cdc
Opcode Fuzzy Hash: d65e40f4bb0fa310d54f336cbd5d585eda097951f3390b46cf9a53483c196fc3
Instruction Fuzzy Hash: 82D1CB71618302DFD704DF68D890A2AB7E5FF99304F49886EE886C7391DB34E854DB61

Function 004C4487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

BIL, xrefs: 004C485E

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: BIL
API String ID: 0-3532552523
Opcode ID: 011829d4dd883f44493a950d198bf86c52dc62b01b69168a5326cc8a2216cecb
Instruction ID: 7b56b9315d2a145be5699c5f5f442b11eb2708e3f257948e2eff20dba8a47bbe
Opcode Fuzzy Hash: 011829d4dd883f44493a950d198bf86c52dc62b01b69168a5326cc8a2216cecb
Instruction Fuzzy Hash: 54E100B5601B008FD365CF28D9A2BA7B7E1FF46708F04886DE4AA87752D735B814CB58

Function 004F7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 004F8167

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 109605f74c3ead87e238e98c8d15a2d3cd11b419e463441dd0bd71145d172b8b
Instruction ID: 7b19b375b69b9610dce3eb53da847aebf880d414d6f699cfa50103d1a0b8919c
Opcode Fuzzy Hash: 109605f74c3ead87e238e98c8d15a2d3cd11b419e463441dd0bd71145d172b8b
Instruction Fuzzy Hash: EBD117329082694FC725CE18D89072FB7E1EB85718F168A2DEAA56F380DB75DC06C7C5

Function 004F6CBF Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"pO, xrefs: 004F7015

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: "pO
API String ID: 0-232025707
Opcode ID: 2889a094be2c979e5df4d24b32886b631cd40acd97936d81b5d4282728d32172
Instruction ID: 03d5c596df6ca30495fb7f4e3b44e8fcb73fa5cc18e2ac13db861f20f0f975a3
Opcode Fuzzy Hash: 2889a094be2c979e5df4d24b32886b631cd40acd97936d81b5d4282728d32172
Instruction Fuzzy Hash: E0D1CC36618355CFC714CF28D88052EBBE6BF9A314F098A6DE991C73A1D334DA48DB91

Function 004DCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004DCDC3, 004DCDCB

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 13a9e65782e7435a0745dc47c1d44aff3746946da6402ac1867d6015602770f9
Instruction ID: 05ac8f7b9ff322e67df63647a5d308d950b34e7f9e3f30ffc853a8253bd299ab
Opcode Fuzzy Hash: 13a9e65782e7435a0745dc47c1d44aff3746946da6402ac1867d6015602770f9
Instruction Fuzzy Hash: EAB1F470A083029BD714DF14D8A0B2BBBE2EF96344F14492FE5C587391E339E855CB9A

Function 004BA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 004BA9C3

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 7be34f7f5a908f3dae55b388b8f551326f9f3436e3b35f3fcc105ef7ed3bdca0
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 99B127702083819FD324CF18C88465BBBE1AFA9704F448E2DF5D997742D675EA18CB67

Function 004EFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004EFCA4, 004EFCAD

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0f84cfaf335a141849cee1e62d88fae76da7ac29ff929325ffced9216577ee48
Instruction ID: b49525c6ef68db6c3d598d96942011396dda1d57e7c6744d711344cbfa096c60
Opcode Fuzzy Hash: 0f84cfaf335a141849cee1e62d88fae76da7ac29ff929325ffced9216577ee48
Instruction Fuzzy Hash: B7811F70108345EBE710DF5ADC85A2FBBE1FB99746F14482EF28583241E338E818DB66

Function 004CD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004CD663, 004CD66B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 92ee8a889b91a33d22f30eff8a3a3193cadfbc417d16c15e0bbdea06e7791b93
Instruction ID: f6a10a75a4824844060350a3f0bbcecb568bbdad5798a4fb56c033ddc45a241a
Opcode Fuzzy Hash: 92ee8a889b91a33d22f30eff8a3a3193cadfbc417d16c15e0bbdea06e7791b93
Instruction Fuzzy Hash: 5961C075904204EBD710AF18DC82B3B73A0FF94358F08042EF98597391E739D915D796

Function 004F4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004F4C33, 004F4C3B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 71e16b38f800fe4d83e8f29e00006f737532391794825e0e3885194c370a438c
Instruction ID: 581746b3a78fd37ba0e05e0550bce7fecd1d87c23f2389b33eb18b7446635ff8
Opcode Fuzzy Hash: 71e16b38f800fe4d83e8f29e00006f737532391794825e0e3885194c370a438c
Instruction Fuzzy Hash: D861EF716083499BD710DF19C880B3BBBE6EBC5314F19891EE68587392DB39EC01DB5A

Function 004BE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 004BE333

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 0ea04db1a0763521d00ceb0405f9b7587d18a388171dc43dfce8136909b3bf05
Instruction ID: c2c9bbfebb3e63642b71800a52ea379a50cbd8b107f9d0620b81343dee0646ef
Opcode Fuzzy Hash: 0ea04db1a0763521d00ceb0405f9b7587d18a388171dc43dfce8136909b3bf05
Instruction Fuzzy Hash: 40513A23A1959147D328993E4C552EA7AC70FD2334B3DC7BAE9F1873E1D51988029365

Function 004F3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004F39E3, 004F39EB

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 22b5d54c9883d3e7711f356007ca80fa00dc5ce082987b5d7c49ffbc38d1019b
Instruction ID: a2f14af76e362e4ddda28fabc21105130233cfe2fb1e940f20a9e2e68a6cb8d4
Opcode Fuzzy Hash: 22b5d54c9883d3e7711f356007ca80fa00dc5ce082987b5d7c49ffbc38d1019b
Instruction Fuzzy Hash: 4151B2709092049BCB14DF16D880A3FBBE5EF85746F14881EE6C687351D379DD10DB6A

Function 004C1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 004C1C3E

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: b036a184762f490e488498e609b41008af44a94d88f562fddc4f054b81dd649e
Instruction ID: bdd1efbd4bce78ef3d1ccaeef6ebf3fbef272ee23f42e19be6b574e15463d819
Opcode Fuzzy Hash: b036a184762f490e488498e609b41008af44a94d88f562fddc4f054b81dd649e
Instruction Fuzzy Hash: 044152B80083809BC7549F25C894A2FBBF0FF96314F04991DF9C69B2A1D73AC915CB5A

Function 004EFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004F0033, 004F003B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3dc0f3a0eaa6a672d0bef3aeb41080000f5924be035b7f2f51bdf37601fb60c9
Instruction ID: ef471d0387c2b0f6a2abbb79545463e43cecca1ae860bccf9d87618cbbfbc973
Opcode Fuzzy Hash: 3dc0f3a0eaa6a672d0bef3aeb41080000f5924be035b7f2f51bdf37601fb60c9
Instruction Fuzzy Hash: 4A3105B1904309AFD710EA15EC81B3BB7E8EB85748F54482AFA84D7253E639DC14C76B

Function 004DE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 004DE6A2

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: f6b5c58489e2ed616335730f15ff4603f103ec3d0123b5b631f31e45466a469c
Instruction ID: 64ae5c849eb43fcfc2ff66f8cc4e43189b2b522deeb484d35138d5a7f42dc2ab
Opcode Fuzzy Hash: f6b5c58489e2ed616335730f15ff4603f103ec3d0123b5b631f31e45466a469c
Instruction Fuzzy Hash: 0231F8B5900604CFC720EF96E8D05AFB7B4FB1A305F54086EE446AB301D339AD05CBAA

Function 004C6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 004C703B

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d80a5ae06428a2ab746e92d5866d2346ebe625c8df175fedd47f191711d0f5e0
Instruction ID: 8e98169751b0087e8fe877736d3fbfbcd52e8eba1fad227269c4362330f5bf00
Opcode Fuzzy Hash: d80a5ae06428a2ab746e92d5866d2346ebe625c8df175fedd47f191711d0f5e0
Instruction Fuzzy Hash: 46413679204B049BD7348B66C995F27BBF2FB09704F14881DE6869BAA1E335E8009F18

Function 004DE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 004DE6A2

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: de2d91d80b6cafd8a32e45bacc36de45dd6da5081679676b3cf46f66e1323e33
Instruction ID: fc114eae9ef9471f91784c9fd8b19b6bc4ec391e8915ef3ee020d9672ddb55b2
Opcode Fuzzy Hash: de2d91d80b6cafd8a32e45bacc36de45dd6da5081679676b3cf46f66e1323e33
Instruction Fuzzy Hash: A021B571900604CFC720EF96D9D05AFBBB5FB1A745F54081EE446AB341C339AD05DBAA

Function 004F9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 004F9D30

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 05aa620ed8955de04145c44852c6c4b048fc9ff361517cd37c12b68b357612af
Instruction ID: 0e1096a0407b68faff38e9626eb4f1dae1cdfd84581d6743181b19814f9c227d
Opcode Fuzzy Hash: 05aa620ed8955de04145c44852c6c4b048fc9ff361517cd37c12b68b357612af
Instruction Fuzzy Hash: 923178709083049BD310EF15D880A2BFBF9EF9A354F24892DE6C897251D339D904CBAA

Function 004C4E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c10de9f5b1f81e21837bb8e83c3a0a2d392c2a0da02d079630e2e22afe9ba07
Instruction ID: ab2337cfcb104ae68dc9bb210633a032ad4023a0904bda104f8b577ec72f2fd5
Opcode Fuzzy Hash: 1c10de9f5b1f81e21837bb8e83c3a0a2d392c2a0da02d079630e2e22afe9ba07
Instruction Fuzzy Hash: 48625978500B008FD765CF25C990B2BB7F5AF4A304F54892ED49A87A52E778F844CBA9

Function 004BBEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: e5a869f97483b8d7fb242b16b07c37ff2fbe1cf69e54e1926170cc67b7db3425
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 1252C431A087118BC7259F18D4D02FBB3E1FFD5319F294A2ED98697390D738A8518B9A

Function 004F8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e87bccd1a660e3420693ba1ac0483a3bf63657ca804440f455155d32c2f4df6
Instruction ID: 05e560d7fb2fbe4664e65a271f489051219d6af8b86aa4b89a1e898b5784ad38
Opcode Fuzzy Hash: 4e87bccd1a660e3420693ba1ac0483a3bf63657ca804440f455155d32c2f4df6
Instruction Fuzzy Hash: 4322DA75608345CFC704EF68E88062EB7E1FB9A305F09886EE68987361C735E894DF46

Function 004F86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e383de9d54f7917ee0f3d7d4fe6bcf52e99fed132d993169368c2a3b706259c
Instruction ID: 98e11df354e3a44c1bc19f5743245875296c31217f4680fabd5273e75bc0fe77
Opcode Fuzzy Hash: 5e383de9d54f7917ee0f3d7d4fe6bcf52e99fed132d993169368c2a3b706259c
Instruction Fuzzy Hash: 1922DB75608345DFC704EF28E89062EBBE1FB9A305F09886EE68987361C735E854DF46

Function 004BB3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74122c629749dd4a91c6869d54ffafb1d813f43a12bf00cebcfa6c7579edd729
Instruction ID: 2350ba7ef8a174d994a11013f060845d5a6f11840bbbfd69f67a188da0f0ec85
Opcode Fuzzy Hash: 74122c629749dd4a91c6869d54ffafb1d813f43a12bf00cebcfa6c7579edd729
Instruction Fuzzy Hash: D7529470908B849FE735CB24C4947E7BBE1EB91314F144C2EC5D606B82C7BDA985C7AA

Function 004B71F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790e377c87520fb4b2ad63481c8e47abad75b14eafb23fee350964de8fbc65a2
Instruction ID: 2ba7bacada0e09384d73d4163c227685f61bb72f933a361933a06e896eeb585b
Opcode Fuzzy Hash: 790e377c87520fb4b2ad63481c8e47abad75b14eafb23fee350964de8fbc65a2
Instruction Fuzzy Hash: 1452C13150C3458FCB15CF28C0906EABBE1BFC9314F198A6EE8995B341D738E949CB95

Function 004B8FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562933a254225f45421f2712b3be1bcc102949e7bd333bf9f0e1b6d983e5d10a
Instruction ID: 468ef4011805951f1f1d37c694f13d4dc0caa088aa62c1eb6d6a48711a0875ec
Opcode Fuzzy Hash: 562933a254225f45421f2712b3be1bcc102949e7bd333bf9f0e1b6d983e5d10a
Instruction Fuzzy Hash: 2F42A775608301DFDB08CF29D8507AABBE1BF88316F09886DE9858B3A1D339D955CF46

Function 004B7BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb8de608d4516a19b14990f81ed27114958bab99dcaf085b29051dfe8b0b7e9
Instruction ID: 0bd5dae5514a501d93aa0b3329489464d831f6fecf5203fa2442ee0d11896bc5
Opcode Fuzzy Hash: 3cb8de608d4516a19b14990f81ed27114958bab99dcaf085b29051dfe8b0b7e9
Instruction Fuzzy Hash: 96323370515B118FC368CF29C6905A6BBF5BF85700B604A2ED69787F90D73AF845CB28

Function 004F89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58771dd0b8c2127ceeb20ff2e3c4f687dd45418dbda78ddd3e2aa6fe71673475
Instruction ID: 98c92b273275e4ee66ec30c0ace6625040aed9aa5761149b7440ce0e609967cd
Opcode Fuzzy Hash: 58771dd0b8c2127ceeb20ff2e3c4f687dd45418dbda78ddd3e2aa6fe71673475
Instruction Fuzzy Hash: 0402AB74608345DFC704EF68E88062EBBE1EB9A305F09896DE6C987361C739D854CF96

Function 004F8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cebac75c50c4793e1aa4fc595c320768f575ad057953949461e47d608adde2f
Instruction ID: 819ff2ea568f7dd0f2f1a9097eecf25eafa3c2df209ebd790bdeab5cf662f9c7
Opcode Fuzzy Hash: 7cebac75c50c4793e1aa4fc595c320768f575ad057953949461e47d608adde2f
Instruction Fuzzy Hash: 6BF19874608345DFC704EF28D88062EBBE1AB9A305F098D6DE6C987361C73AD954CF96

Function 004F8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b27ac66204b7545697e854fbc1bc3feffaf617137f3a737fcd1eeebcdf96f22
Instruction ID: 795595574b21ba2c7ef04512e609dcca331644826de17f033df3aad1c342bd3b
Opcode Fuzzy Hash: 5b27ac66204b7545697e854fbc1bc3feffaf617137f3a737fcd1eeebcdf96f22
Instruction Fuzzy Hash: 8BE1AD75608341CFC704DF28D88062EB7E2AB9A315F09896DE6C987361D736D954CF92

Function 004BA300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 05c1107abbfb470e2c7ce4bdbcd74a247438e1b3a375fb941ee3e55bb29fce45
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: D3F1CF756083418FC724CF29C8817ABFBE2AFD9304F08882EE4C587751E639E955CB66

Function 004F8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a48a8a2aa04e001df1d1e417fb0de55c48535f3c9c4ea007df611472405213a
Instruction ID: 24a9c5846a3b7158e333e5ed3e5ce9bc760b4116ae99983fa928cfcfe97b0434
Opcode Fuzzy Hash: 4a48a8a2aa04e001df1d1e417fb0de55c48535f3c9c4ea007df611472405213a
Instruction Fuzzy Hash: 2BD1A974608285DFD704EF28D88062EBBE1AB9A305F09896DE6C587251C73AD814CF96

Function 004F7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8fd2d38efbdf94e404efb5dda4d9bccca02cdd2424c40db293974ad0e506d8
Instruction ID: 15aa2d10c3b271de815f4198b78efbd3c02b2aff0795ec9bcc439ad86fac4bc8
Opcode Fuzzy Hash: 2b8fd2d38efbdf94e404efb5dda4d9bccca02cdd2424c40db293974ad0e506d8
Instruction Fuzzy Hash: 35B12572A083544BE714DA29CC4177BB7E5EBC9314F08092EEA9997382E73DDC058796

Function 004BAF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 058f382221e1dbffbdb11efcbf09257306b302be7922afe23b1ade604fac4d42
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 75C157B2A087418FC360CF68DC96BABB7E1EB85318F08492DD1D9C6342E778A155CB56

Function 004C6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a39eb8d29acaa30ed3b3de3ab3317c277831c9c718310eda4d6410c9a642a2
Instruction ID: 25d9b30db852b1671f2dabe7259e63532fe7c97ce46bdbc76094c43a114c5f54
Opcode Fuzzy Hash: c5a39eb8d29acaa30ed3b3de3ab3317c277831c9c718310eda4d6410c9a642a2
Instruction Fuzzy Hash: E9B12478600B409FC361CF24C981B57BBF1AF46704F14885DE8AA8BB52D739F805CB69

Function 004F7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82d0fcff7aab783719901e29e143bd8ec103d0031126e0263d42978f071ed22e
Instruction ID: c11c5551ae1d211d42a4eaf0cb6864777861ac76613aad72dad1268e65bfaa35
Opcode Fuzzy Hash: 82d0fcff7aab783719901e29e143bd8ec103d0031126e0263d42978f071ed22e
Instruction Fuzzy Hash: 5791AD71A08305ABE720DF15C840B7FBBE6EB85394F54881EF68487351E738E944DB9A

Function 004FA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b27bd1589471c1b85c4b4b4869705d0dff4441b85ad29637db37daafedb1c48
Instruction ID: 7b2f663d191ae28842d4f5057880e2c9923708676935e0fe432724d6332586a2
Opcode Fuzzy Hash: 5b27bd1589471c1b85c4b4b4869705d0dff4441b85ad29637db37daafedb1c48
Instruction Fuzzy Hash: 92818D742083098BD724DF28C980A3BB7E5EF59744F45896DEA8987351E739E820CB96

Function 004E64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377255850c77a3fc6213958462d71348843d45f03018a08905e2b392ce952ec4
Instruction ID: a98f545e649e937232c2125459c958d2699ae89ea12a870703334cfd88ff0c9e
Opcode Fuzzy Hash: 377255850c77a3fc6213958462d71348843d45f03018a08905e2b392ce952ec4
Instruction Fuzzy Hash: B5710733B29AD04BC3149D3D5C863A6AA834BE6375F3EC37AA8B48B3E5D52D4C064345

Function 004D28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4184b7da954cf89d95272a837fae99eecdc4229a5084f9f775450e6e95356e7
Instruction ID: dea44b629762fd784b8fc0759aba46ed1f33ced7faf44fba4f3f70f4172833ce
Opcode Fuzzy Hash: c4184b7da954cf89d95272a837fae99eecdc4229a5084f9f775450e6e95356e7
Instruction Fuzzy Hash: 3C6187B44083408BD310AF15D8A1A2BBBF1EFA6754F08491EF4C59B361E379C910DB6A

Function 004D7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d360f5cf8ce4333699b03ab32755fe2abf47e8af67640278f8d4cd1f8855d1f9
Instruction ID: 2d44f1417518e3e8f859cfb4bc6830dc1e9c5c278212d6a95531f3dc4327af31
Opcode Fuzzy Hash: d360f5cf8ce4333699b03ab32755fe2abf47e8af67640278f8d4cd1f8855d1f9
Instruction Fuzzy Hash: 2D51BFB16182049BDB209B24CCA2BB733B5EF85758F14495AF9858B391F379E801C76A

Function 0062E007 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9677c22b8352a9229659ba31874f8fc01676f38dc6f3c8e5107f9463ffe2860
Instruction ID: cce372836904dbca0a4ba1f72f251e13f3df6ae06125033ae72ec451a90d845d
Opcode Fuzzy Hash: b9677c22b8352a9229659ba31874f8fc01676f38dc6f3c8e5107f9463ffe2860
Instruction Fuzzy Hash: B571B4F39082109FE344AE29D84576ABBE5EFD4720F1B893DD9C8C7744E63988458B87

Function 004E1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 9c82b7364c982c756d551c9a691f37892ff3f5d040b50c8c36632948de5a837d
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 3861E4316493819BD714CE2AC58072FBBE2BBC5352F64C92FE4998B371D278DC81974A

Function 004E82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a97ec73f1ac6b858f55433c9f627c3bc662af9c7e2783d2eda933a63bdbc33
Instruction ID: b67313c93968c25059eb9d964ac6bf0ce0dadc8015a917b35855596d11155ce0
Opcode Fuzzy Hash: d9a97ec73f1ac6b858f55433c9f627c3bc662af9c7e2783d2eda933a63bdbc33
Instruction Fuzzy Hash: 40613633A1A9D14BC714453E5C453A66A835BD2732F3EC37F98B98B3E5DD6E4802834A

Function 004C42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88571c6d8b65428302b7611f45c9f37267cf7fe6088c11caa7da9fefbd49b6dc
Instruction ID: a38258dfb4cc925dd2e0c6d6dd301843627dd3d7aa7dac3e8ca19ffb3372a4c9
Opcode Fuzzy Hash: 88571c6d8b65428302b7611f45c9f37267cf7fe6088c11caa7da9fefbd49b6dc
Instruction Fuzzy Hash: AB81F5B4810B00AFD360EF39D947797BEF4AB06201F404A2EE4EA97655E7306419CBE7

Function 004EE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: b37089279414371f55494a8774f23f6178bbf480a5391050359deb5e25c02c31
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 5F517DB16087548FE314DF6AD49435BBBE1BBC5318F044E2EE4E983350E379DA088B86

Function 004F7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3972a062b5884a16fe56ebd49b1dfa3019cfcab1a7a4f70ca0ba66bd1e4b19f
Instruction ID: 924925c90fcb6b5a227f1c835a79e25fc2e7303da4dcc63b94b928059a2bf277
Opcode Fuzzy Hash: c3972a062b5884a16fe56ebd49b1dfa3019cfcab1a7a4f70ca0ba66bd1e4b19f
Instruction Fuzzy Hash: 8A51493160C204ABD7149E18DC90B3FB7E2EB85364F288A2DEAD597391D739EC008B55

Function 005BC327 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb60a42de606df2a2d37cc2b8e1732553ba78c691751a3e0968ee45ad43005dd
Instruction ID: 5455d9e5ec882ea99c00329b75dba81158241f11d3277c118f94330bd92993c2
Opcode Fuzzy Hash: fb60a42de606df2a2d37cc2b8e1732553ba78c691751a3e0968ee45ad43005dd
Instruction Fuzzy Hash: 0B5149F3A087045BF3049E7DECC5776B7C6EB94750F1A863DEA8893784E9356C044296

Function 004B5A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef0ee74cff9df37a704e8063fe3305c8c4c9b8c4907768034061d4b47f43c49
Instruction ID: aa5ed35a60e4db7bda73cc465e852723f004ecbc85540eed6ff594b8fc73bbb6
Opcode Fuzzy Hash: 3ef0ee74cff9df37a704e8063fe3305c8c4c9b8c4907768034061d4b47f43c49
Instruction Fuzzy Hash: 0D5106709087049FC714DF14D880A6BFBA1FF89328F15466EF8999B352D634EC42CBA6

Function 005A4154 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87463111fa4b9baf8a124e87a258dd347ab883fb4d73e2a0c59054b0d20e7f85
Instruction ID: 8513dec11477b98c2f7ae0197b58c129b0c67f855eac0197fed92b01cac13412
Opcode Fuzzy Hash: 87463111fa4b9baf8a124e87a258dd347ab883fb4d73e2a0c59054b0d20e7f85
Instruction Fuzzy Hash: E44120F36182009FF3146E2DDC857AAB7D6DBD8720F2A863DE7C583784DA7C58018686

Function 00584AC2 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6143a26c180484e8b17d0cffafb7c11a38e75ac94a29cd727f9f5511657ade3a
Instruction ID: fe31f06dd5165f8ef5928d240fd752e88fbdda92f95338c6a9193bf6d8ec5ba3
Opcode Fuzzy Hash: 6143a26c180484e8b17d0cffafb7c11a38e75ac94a29cd727f9f5511657ade3a
Instruction Fuzzy Hash: AE416CF3A082005BE3046A2AEC5577FB7E6EFD4720F2B453DE6C483784E93558068292

Function 004DEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc8d45933eccb7b51aa65070049a67191e88352f7976dec2f690cf8064d35bc
Instruction ID: 4b28733306abf03dc62f9db6e338c985d304ea4c509dac2ff962cb3f93520fc1
Opcode Fuzzy Hash: fdc8d45933eccb7b51aa65070049a67191e88352f7976dec2f690cf8064d35bc
Instruction Fuzzy Hash: 1F41C174900316DBDF209F55DC91BAEB7B1FF0A304F04054AE945AF3A0EB389950CB99

Function 004F9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d5557021e165ef6259184d9902a86a1bd89fcca5ea311a89a366ed724d0db4
Instruction ID: 679adf8c77374b57a11974b5f17a0cfe3a24d0953d4eae10c2d9dfc12841a3f4
Opcode Fuzzy Hash: d3d5557021e165ef6259184d9902a86a1bd89fcca5ea311a89a366ed724d0db4
Instruction Fuzzy Hash: 5F41AE34608344ABD7109F15D990B3FB7E6EB85754F54882EF68987351D339EC00DB6A

Function 004C2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c07974f9a9aaba797c57361ec7a6992b63490c4427dddfc5e5144d6ee4e1e35
Instruction ID: 72cb468a12f201e2d98029450af08c6731c38ee5146e14544bc95d2462c0461a
Opcode Fuzzy Hash: 2c07974f9a9aaba797c57361ec7a6992b63490c4427dddfc5e5144d6ee4e1e35
Instruction Fuzzy Hash: EE412836A083654FD35CCE2A859073ABBE2AFC5300F09862FE5D6873D0DAF88945D785

Function 004C1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5d92d9b404332c81c1e1e621d3fba2f8e71f219c5612ea28ff965ee43834fc
Instruction ID: f7c89f4c4ca75fd9f7a479edf5072735be59ba9a30a28eb13ef33e1616c4efde
Opcode Fuzzy Hash: 4e5d92d9b404332c81c1e1e621d3fba2f8e71f219c5612ea28ff965ee43834fc
Instruction Fuzzy Hash: 7D41E0785083809BD360AB55C884F2EFBF5FB87745F14491DF6C497292C37AE8148B6A

Function 004F8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb4f48fdb8c4eb551b72d3e5d68a4c55b409c0f1d1302d798dd97f60bbeb74
Instruction ID: 8f890256870dc4598d6212e04b580083b6679a8d680a341a570f8ffb90166a26
Opcode Fuzzy Hash: babb4f48fdb8c4eb551b72d3e5d68a4c55b409c0f1d1302d798dd97f60bbeb74
Instruction Fuzzy Hash: F641BF316082988BC704DF68C49052EFBE6AF9A300F098A1ED5D99B391CB78DD018B86

Function 004CD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bfcb272859e8b70e3998e6fcd13bbf9d636392f0b1538bc74510625e547c16
Instruction ID: 2ef90f3919aa161308eecfa2a309cbaeac818ff35cf60d200a6c21d58cf8037c
Opcode Fuzzy Hash: e3bfcb272859e8b70e3998e6fcd13bbf9d636392f0b1538bc74510625e547c16
Instruction Fuzzy Hash: 72418EB59083818BD7309F15C881BAFB7B0FFA6354F04096EE48A8B791E7794941CB5B

Function 004EF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 3a701c1b48eab5ecd27d6eb291711a527f080c4de8497007a3fd67c1a3f458cc
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 532137329082644BC3249B1AC48053BF7E4EB9A705F06863FD9C4A7295E3399C1887E5

Function 004F67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0403c26c00ee1ea4c5f080a9e2ceca7c6a14a756d533e36d485fbeeeb34613ac
Instruction ID: 129ef946f6a1e6e90b981bc83d51229be2f7f9ad1a86069b9207ae6196c39055
Opcode Fuzzy Hash: 0403c26c00ee1ea4c5f080a9e2ceca7c6a14a756d533e36d485fbeeeb34613ac
Instruction Fuzzy Hash: FB3114705183829AD714DF15C490A2FBBF0EF96788F54580DF4C8AB261D338D985CB9A

Function 004D5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdf333d9d54dc2163d8594f76c2df5023b43796f1e98b82b569b4e87f3380f8
Instruction ID: 3c1019a5e0c23e20088a70d4a0ac9c608a4a41efffd56ea450092421c63e775f
Opcode Fuzzy Hash: 4bdf333d9d54dc2163d8594f76c2df5023b43796f1e98b82b569b4e87f3380f8
Instruction Fuzzy Hash: E821A1705082019BD310AF18C86196BB7F4EF96765F44890EF4D59B391E738D900CBAB

Function 004B49A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: f41f26d0238ce16dfec2a7b8054d1e2eb4e51f24d96091daf6197097f7b24c80
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 4831EF717482009BD7149E28D8805ABB7E1EFC8358F14852EE495D7342D239DC52CB6E

Function 0066F9CC Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d9d8b4014c8cc48c81f49b375afeacd9a85bae702add04e5198adfea65a3dc
Instruction ID: 4a284ad68e5738e1037db1596245c5c5241952df04d3e45f132edbb896e0a9fd
Opcode Fuzzy Hash: e5d9d8b4014c8cc48c81f49b375afeacd9a85bae702add04e5198adfea65a3dc
Instruction Fuzzy Hash: 903137E3F6152007F3540838CD59393554397D5325F2F86788E68ABBC9D8BE8C0A53C0

Function 004F64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1d9fdd9ebca9933bba2abad3a1ebc0626bd18f35dc6278fd48711b0ce37b6f
Instruction ID: 184a087db7a6c2382cb4f16da2b56ce13135dd92d8ae1e8db7c34ff39e459dfe
Opcode Fuzzy Hash: 5f1d9fdd9ebca9933bba2abad3a1ebc0626bd18f35dc6278fd48711b0ce37b6f
Instruction Fuzzy Hash: 8321667060C204ABC704EF19D580A2FFBE6EB95744F29881DE9C593361C339A855EF6A

Function 004EB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 14b0a86f0bc75ceba17b76b0f9b9e34870a60c7a6430a73d3dd3a28a4252a4c9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 97115933A041D50EC7128D3D8400566BFA34BA3236B18439AF4F48B2D2C3268D8A839A

Function 004E0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: a91bc4ca3cfd8035c1cf60399c2f699266744d24494faae13634dd4a4406bac8
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 800175F5A003414BE7209E9694D1B3BB2A8BF4471DF18452EE4265B302DBB9FC45C6A9

Function 004DD1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e15b01861f89c9e660ac6863c418ae4aab6099572ea092d2405a07d4dfebe6
Instruction ID: f6b22dd024e2341b700e7b050964a2f3b92f96a856a076185c662a2f03229bff
Opcode Fuzzy Hash: 50e15b01861f89c9e660ac6863c418ae4aab6099572ea092d2405a07d4dfebe6
Instruction Fuzzy Hash: C7111FB0408380AFD3109F618494A2FFBE0EBA6714F148C0EF2A45B251C379E809CF4A

Function 004B6EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0603dd26d73ace988990b16064e80d1ecb68fb8540fa53021182783f411da8a1
Instruction ID: e6f78cb03d749814613ca3b770e97c55cb9bcaadb063b847eb4dfdd637f2bc63
Opcode Fuzzy Hash: 0603dd26d73ace988990b16064e80d1ecb68fb8540fa53021182783f411da8a1
Instruction Fuzzy Hash: 6AF0593E71820A0BA210CDBAE88087BF3D6D7CA355B06553DEF40C3301CD7AE80282E8

Function 004EB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 004CC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 004CB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 886e73b10f154885a0b7eb3b78fb8aa396eeecc6e9c2e9c0d8089b61e8c6da2e
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: FDF0ECB560861057DF668A559CC1F37BB9CCB87354F19042FE84557203D2655849C3ED

Function 004E8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256192d56a0f9841703848222c4866e185d69c2f40a506b8904a8001bebb5865
Instruction ID: df52289abe9f2020cf1631b9dccb436b15e41891abfdd0680a7f3a6ce968af1c
Opcode Fuzzy Hash: 256192d56a0f9841703848222c4866e185d69c2f40a506b8904a8001bebb5865
Instruction Fuzzy Hash: 7901E4B04107009FC360EF29C585757BBE8EB08714F008A1DE8AECB680D774A544CF82

Function 004F1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: efbc2e7c2d19d7992e79f5c28f0f93ff9f6015aad31c571f46e91969a1b55c98
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 89D0A731608321869F748E19A400977F7F0EAC7B11F49955FF686E3258D234DC41C2AD

Function 004C1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4526ba3436f30303c44137be14f738e5389809621c4fd766dd1303e5409474e8
Instruction ID: e0728ddd9754e631c078b396cd483a6579605016aa314971a4095d7e115c2421
Opcode Fuzzy Hash: 4526ba3436f30303c44137be14f738e5389809621c4fd766dd1303e5409474e8
Instruction Fuzzy Hash: 95C01238A180008BC244CF00A895A36A2B8AB27208700603ADA02E3222CA20C42AE90E

Function 004F6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b47bd3ef5c60253f1993e0709f38b414be070db25fb4deac5473d6469496330
Instruction ID: cca9b67a53872a2ff4c2a9738ca3a9369fd7cf5d075870f5ea70c6ebad2dcc25
Opcode Fuzzy Hash: 7b47bd3ef5c60253f1993e0709f38b414be070db25fb4deac5473d6469496330
Instruction Fuzzy Hash: 5DC09B3466D00487D30CCF05D951579F77E9BA771C724B05ECD0623355C134D517A51D

Function 004C1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7817e9bb0571ec4fd0aab7bf56b921f2db74bcd3c0c6b813cdbfef66e71e16ec
Instruction ID: 425ba2bc1d89ed014e71acc5fd4fccef03938807c923654b31137e313dff79eb
Opcode Fuzzy Hash: 7817e9bb0571ec4fd0aab7bf56b921f2db74bcd3c0c6b813cdbfef66e71e16ec
Instruction Fuzzy Hash: 79C09B34A59040CBC244CF85E8D1532A3FC571720C710303F9B03F7272C560D419D50D

Function 004F5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2162257930.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2162241228.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.0000000000510000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000069F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.000000000077D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162303620.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162575581.00000000007C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162738569.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2162755800.0000000000963000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac75551da1f728846ee6c200e6b4d38c009dfce6ab7311c814bf7e97df81a531
Instruction ID: 6a0e8d189d5d025813ffa76a4ad6505562498fb20da5e94fc8dd00a26ef9cb21
Opcode Fuzzy Hash: ac75551da1f728846ee6c200e6b4d38c009dfce6ab7311c814bf7e97df81a531
Instruction Fuzzy Hash: 00C09224B690008BE34CCF19DD51A39F6BE9BABA1CB14B02DCC06A3256D134D51A960C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 004BFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 004BD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 004F5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 004F5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 004F695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 004C049B Relevance: .3, Instructions: 264
COMMON

Function 004C0228 Relevance: .2, Instructions: 218
COMMON

Function 004F3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 004F3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON